Project

General

Profile

Actions

Bug #3164

closed

Graceful restart starts sending 400 Bad Request for SSL connection handshake

Added by oldium 22 days ago. Updated 16 days ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:
No

Description

When SIGUSR1 is sent to lighttpd service, it starts sending 400 Bad Request.

Test case:

  1. Start lighttpd.
  2. Verify it is running by sending HTTPS request.
  3. Send SIGUSR1 to lighttpd process.
  4. Check HTTPS request.

You will see in log the following:

2022-07-26 13:48:00: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:09: (../src/server.c.1019) [note] graceful shutdown started
2022-07-26 13:48:13: (../src/server.c.2097) server stopped by UID = 0 PID = 1
2022-07-26 13:48:13: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:13: (../src/connections.c.716) unexpected TLS ClientHello on clear port (10.xx.xx.xx)

Files

001-network-server-init.patch (477 Bytes) 001-network-server-init.patch oldium, 2022-07-29 10:00
Actions #1

Updated by gstrauss 22 days ago

  • Status changed from New to Need Feedback

Insufficient info. Not able to reproduce.
Please read How to get support

Actions #2

Updated by oldium 21 days ago

Here is the version info:

Current OpenWrt from Git master.

#> lighttpd -v
lighttpd/1.4.65 (ssl) - a light and fast webserver

Configuration: https://paste.lighttpd.net/EA#0hcRL8Ny5KcxPL78d5bkHg2l

Client used for testing: Microsoft Edge, Chrome.

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Actions #3

Updated by oldium 21 days ago

This is relatively new issue, I do builds from time to time (once or twice a month), and I started experiencing it few builds back. So I think this is new to 1.4.65. Might be related to https://github.com/lighttpd/lighttpd1.4/commit/da8025fb3075397a2c3edea08cdc5b8c5a624896 (just a wild guess).

Actions #4

Updated by gstrauss 21 days ago

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Your config has four (4) $SERVER["socket"] with ssl.engine = "enable" On which socket(s) and port(s) did you see the issue?

Actions #5

Updated by oldium 20 days ago

All four (4) sockets are affected, ipv4 and also ipv6. lighttpd starts communicating plain-text over all 4 sockets. Verified with wget on all 4 addresses - before and after SIGUSR1 (I am using /etc/init.d/lighttpd reload).

Before:

wget http://10.84.1.1:443/
Downloading 'http://10.84.1.1:443/'
Connecting to 10.84.1.1:443
(null)                   0   - stalled -
Connection reset prematurely

After SIGUSR1:

wget http://10.84.1.1:443/
Downloading 'http://10.84.1.1:443/'
Connecting to 10.84.1.1:443
Writing to 'index.html'
index.html           100% |*******************************|   672   0:00:00 ETA
Download completed (672 bytes)
Actions #6

Updated by gstrauss 20 days ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.xx to 1.4.66

I missed annotating an early return in network_server_init()

--- a/src/network.c
+++ b/src/network.c
@@ -376,6 +376,10 @@ static int network_server_init(server *srv, const network_socket_config *s, buff
         *  binary addresses are matched further below) */
        for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) {
                if (buffer_is_equal(srv->srv_sockets.ptr[i]->srv_token, host_token)) {
+                       if ((unsigned short)~0u == srv->srv_sockets.ptr[i]->sidx) {
+                               srv->srv_sockets.ptr[i]->sidx = sidx;
+                               srv->srv_sockets.ptr[i]->is_ssl = s->ssl_enabled;
+                       }
                        return 0;
                }
        }

Actions #7

Updated by oldium 19 days ago

Your patch indeed fixes the problem. Verified on OpenWrt master by manually adding the patch to the lighttpd package - attached. Calling /etc/init.d/lighttpd reload no longer switches the socket to plain text.

Actions #8

Updated by gstrauss 16 days ago

  • Status changed from Patch Pending to Fixed
Actions

Also available in: Atom