Bug #3164


Graceful restart starts sending 400 Bad Request for SSL connection handshake

Added by oldium 22 days ago. Updated 16 days ago.

Target version:


When SIGUSR1 is sent to lighttpd service, it starts sending 400 Bad Request.

Test case:

  1. Start lighttpd.
  2. Verify it is running by sending HTTPS request.
  3. Send SIGUSR1 to lighttpd process.
  4. Check HTTPS request.

You will see in log the following:

2022-07-26 13:48:00: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:09: (../src/server.c.1019) [note] graceful shutdown started
2022-07-26 13:48:13: (../src/server.c.2097) server stopped by UID = 0 PID = 1
2022-07-26 13:48:13: (../src/server.c.1588) server started (lighttpd/1.4.65)
2022-07-26 13:48:13: (../src/connections.c.716) unexpected TLS ClientHello on clear port (10.xx.xx.xx)


001-network-server-init.patch (477 Bytes) 001-network-server-init.patch oldium, 2022-07-29 10:00
Actions #1

Updated by gstrauss 22 days ago

  • Status changed from New to Need Feedback

Insufficient info. Not able to reproduce.
Please read How to get support

Actions #2

Updated by oldium 21 days ago

Here is the version info:

Current OpenWrt from Git master.

#> lighttpd -v
lighttpd/1.4.65 (ssl) - a light and fast webserver


Client used for testing: Microsoft Edge, Chrome.

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Actions #3

Updated by oldium 21 days ago

This is relatively new issue, I do builds from time to time (once or twice a month), and I started experiencing it few builds back. So I think this is new to 1.4.65. Might be related to (just a wild guess).

Actions #4

Updated by gstrauss 21 days ago

Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.

Your config has four (4) $SERVER["socket"] with ssl.engine = "enable" On which socket(s) and port(s) did you see the issue?

Actions #5

Updated by oldium 20 days ago

All four (4) sockets are affected, ipv4 and also ipv6. lighttpd starts communicating plain-text over all 4 sockets. Verified with wget on all 4 addresses - before and after SIGUSR1 (I am using /etc/init.d/lighttpd reload).


Downloading ''
Connecting to
(null)                   0   - stalled -
Connection reset prematurely

After SIGUSR1:

Downloading ''
Connecting to
Writing to 'index.html'
index.html           100% |*******************************|   672   0:00:00 ETA
Download completed (672 bytes)
Actions #6

Updated by gstrauss 20 days ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.xx to 1.4.66

I missed annotating an early return in network_server_init()

--- a/src/network.c
+++ b/src/network.c
@@ -376,6 +376,10 @@ static int network_server_init(server *srv, const network_socket_config *s, buff
         *  binary addresses are matched further below) */
        for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) {
                if (buffer_is_equal(srv->srv_sockets.ptr[i]->srv_token, host_token)) {
+                       if ((unsigned short)~0u == srv->srv_sockets.ptr[i]->sidx) {
+                               srv->srv_sockets.ptr[i]->sidx = sidx;
+                               srv->srv_sockets.ptr[i]->is_ssl = s->ssl_enabled;
+                       }
                        return 0;

Actions #7

Updated by oldium 19 days ago

Your patch indeed fixes the problem. Verified on OpenWrt master by manually adding the patch to the lighttpd package - attached. Calling /etc/init.d/lighttpd reload no longer switches the socket to plain text.

Actions #8

Updated by gstrauss 16 days ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom