Actions
Bug #2837
closedHTTPS requests timeout when cert not set for socket
ASK QUESTIONS IN Forums:
Description
No error is given at startup, and lighttpd times out on HTTPS requests with this config:
$SERVER["socket"] == ":443" {
$HTTP["host"] == "my.host.net" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
ssl.pemfile = "cert.pem"
ssl.ca-file = "fullchain.pem"
}
}
It does NOT hang when a cert is set at the socket-level:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
ssl.pemfile = "cert2.pem"
ssl.ca-file = "fullchain2.pem"
$HTTP["host"] == "my.host.net" {
ssl.pemfile = "cert.pem"
ssl.ca-file = "fullchain.pem"
}
}
I would expect an error to be printed at startup if the first configuration is invalid.
Updated by gstrauss over 6 years ago
Seems like some warnings are in order.
More than a few ssl.* directives makes sense only when configured on the $SERVER["socket"], including ssl.engine = "enable"
Updated by gstrauss over 6 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.48
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -989,6 +989,12 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
}
}
}
+
+ if (0 != i && s->ssl_enabled && config->comp != COMP_SERVER_SOCKET) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "ssl.engine valid is only in global scope "
+ "or $SERVER[\"socket\"] condition");
+ }
}
if (0 != network_init_ssl(srv, p)) return HANDLER_ERROR;
Updated by gstrauss over 6 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset bfef0907bd11f6d516b72bf510ddd3ecdeceb11a.
Actions
Also available in: Atom