Bug #3164
closedGraceful restart starts sending 400 Bad Request for SSL connection handshake
Description
When SIGUSR1 is sent to lighttpd service, it starts sending 400 Bad Request.
Test case:
- Start lighttpd.
- Verify it is running by sending HTTPS request.
- Send SIGUSR1 to lighttpd process.
- Check HTTPS request.
You will see in log the following:
2022-07-26 13:48:00: (../src/server.c.1588) server started (lighttpd/1.4.65) 2022-07-26 13:48:09: (../src/server.c.1019) [note] graceful shutdown started 2022-07-26 13:48:13: (../src/server.c.2097) server stopped by UID = 0 PID = 1 2022-07-26 13:48:13: (../src/server.c.1588) server started (lighttpd/1.4.65) 2022-07-26 13:48:13: (../src/connections.c.716) unexpected TLS ClientHello on clear port (10.xx.xx.xx)
Files
Updated by gstrauss over 2 years ago
- Status changed from New to Need Feedback
Insufficient info. Not able to reproduce.
Please read How to get support
Updated by oldium over 2 years ago
Here is the version info:
Current OpenWrt from Git master.
#> lighttpd -v lighttpd/1.4.65 (ssl) - a light and fast webserver
Configuration: https://paste.lighttpd.net/EA#0hcRL8Ny5KcxPL78d5bkHg2l
Client used for testing: Microsoft Edge, Chrome.
Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.
Updated by oldium over 2 years ago
This is relatively new issue, I do builds from time to time (once or twice a month), and I started experiencing it few builds back. So I think this is new to 1.4.65. Might be related to https://github.com/lighttpd/lighttpd1.4/commit/da8025fb3075397a2c3edea08cdc5b8c5a624896 (just a wild guess).
Updated by gstrauss over 2 years ago
Wireshark was used to verify that the SSL handshake by client is responded with 400 Bad Request plain text response by lighttpd.
Your config has four (4) $SERVER["socket"] with ssl.engine = "enable" On which socket(s) and port(s) did you see the issue?
Updated by oldium over 2 years ago
All four (4) sockets are affected, ipv4 and also ipv6. lighttpd starts communicating plain-text over all 4 sockets. Verified with wget on all 4 addresses - before and after SIGUSR1 (I am using /etc/init.d/lighttpd reload).
Before:
wget http://10.84.1.1:443/ Downloading 'http://10.84.1.1:443/' Connecting to 10.84.1.1:443 (null) 0 - stalled - Connection reset prematurely
After SIGUSR1:
wget http://10.84.1.1:443/ Downloading 'http://10.84.1.1:443/' Connecting to 10.84.1.1:443 Writing to 'index.html' index.html 100% |*******************************| 672 0:00:00 ETA Download completed (672 bytes)
Updated by gstrauss over 2 years ago
- Status changed from Need Feedback to Patch Pending
- Target version changed from 1.4.xx to 1.4.66
I missed annotating an early return in network_server_init()
--- a/src/network.c
+++ b/src/network.c
@@ -376,6 +376,10 @@ static int network_server_init(server *srv, const network_socket_config *s, buff
* binary addresses are matched further below) */
for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) {
if (buffer_is_equal(srv->srv_sockets.ptr[i]->srv_token, host_token)) {
+ if ((unsigned short)~0u == srv->srv_sockets.ptr[i]->sidx) {
+ srv->srv_sockets.ptr[i]->sidx = sidx;
+ srv->srv_sockets.ptr[i]->is_ssl = s->ssl_enabled;
+ }
return 0;
}
}
Updated by oldium over 2 years ago
Your patch indeed fixes the problem. Verified on OpenWrt master by manually adding the patch to the lighttpd package - attached. Calling /etc/init.d/lighttpd reload no longer switches the socket to plain text.
Updated by gstrauss over 2 years ago
- Status changed from Patch Pending to Fixed
Applied in changeset 93d646623026269c37a86f863f6b1faee708ee5a.
Also available in: Atom