Project

General

Profile

Actions

Bug #3164

closed

Graceful restart starts sending 400 Bad Request for SSL connection handshake

Added by oldium 4 months ago. Updated 4 months ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:
No

Description

When SIGUSR1 is sent to lighttpd service, it starts sending 400 Bad Request.

Test case:

  1. Start lighttpd.
  2. Verify it is running by sending HTTPS request.
  3. Send SIGUSR1 to lighttpd process.
  4. Check HTTPS request.

You will see in log the following:

2022-07-26 13:48:00: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:09: (../src/server.c.1019) [note] graceful shutdown started
2022-07-26 13:48:13: (../src/server.c.2097) server stopped by UID = 0 PID = 1
2022-07-26 13:48:13: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:13: (../src/connections.c.716) unexpected TLS ClientHello on clear port (10.xx.xx.xx)

Files

001-network-server-init.patch (477 Bytes) 001-network-server-init.patch oldium, 2022-07-29 10:00
Actions #1

Updated by gstrauss 4 months ago

  • Status changed from New to Need Feedback

Insufficient info. Not able to reproduce.
Please read How to get support

Actions #2

Updated by oldium 4 months ago

Here is the version info:

Current OpenWrt from Git master.

#> lighttpd -v
lighttpd/1.4.65 (ssl) - a light and fast webserver

Configuration: https://paste.lighttpd.net/EA#0hcRL8Ny5KcxPL78d5bkHg2l

Client used for testing: Microsoft Edge, Chrome.

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Actions #3

Updated by oldium 4 months ago

This is relatively new issue, I do builds from time to time (once or twice a month), and I started experiencing it few builds back. So I think this is new to 1.4.65. Might be related to https://github.com/lighttpd/lighttpd1.4/commit/da8025fb3075397a2c3edea08cdc5b8c5a624896 (just a wild guess).

Actions #4

Updated by gstrauss 4 months ago

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Your config has four (4) $SERVER["socket"] with ssl.engine = "enable" On which socket(s) and port(s) did you see the issue?

Actions #5

Updated by oldium 4 months ago

All four (4) sockets are affected, ipv4 and also ipv6. lighttpd starts communicating plain-text over all 4 sockets. Verified with wget on all 4 addresses - before and after SIGUSR1 (I am using /etc/init.d/lighttpd reload).

Before:

wget http://10.84.1.1:443/
Downloading 'http://10.84.1.1:443/'
Connecting to 10.84.1.1:443
(null)                   0   - stalled -
Connection reset prematurely

After SIGUSR1:

wget http://10.84.1.1:443/
Downloading 'http://10.84.1.1:443/'
Connecting to 10.84.1.1:443
Writing to 'index.html'
index.html           100% |*******************************|   672   0:00:00 ETA
Download completed (672 bytes)
Actions #6

Updated by gstrauss 4 months ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.xx to 1.4.66

I missed annotating an early return in network_server_init()

--- a/src/network.c
+++ b/src/network.c
@@ -376,6 +376,10 @@ static int network_server_init(server *srv, const network_socket_config *s, buff
         *  binary addresses are matched further below) */
        for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) {
                if (buffer_is_equal(srv->srv_sockets.ptr[i]->srv_token, host_token)) {
+                       if ((unsigned short)~0u == srv->srv_sockets.ptr[i]->sidx) {
+                               srv->srv_sockets.ptr[i]->sidx = sidx;
+                               srv->srv_sockets.ptr[i]->is_ssl = s->ssl_enabled;
+                       }
                        return 0;
                }
        }

Actions #7

Updated by oldium 4 months ago

Your patch indeed fixes the problem. Verified on OpenWrt master by manually adding the patch to the lighttpd package - attached. Calling /etc/init.d/lighttpd reload no longer switches the socket to plain text.

Actions #8

Updated by gstrauss 4 months ago

  • Status changed from Patch Pending to Fixed
Actions

Also available in: Atom