Bug #83
closeddocument of nice and wonderful history of lighttpd :)
Description
for now, all history i know about lighttpd is: she's founded at about "feb 2003". it would be wonderful to have detail history about her(possible including the author, Jan). this would greatly attract newbies' interesting, and advance the number of lighttp users. :)
-- Xuefer <xuefer
Added by gportay almost 8 years ago
Added by gstrauss almost 8 years ago
[mod_openssl] safer_X509_NAME_oneline() (fixes #2693)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/83
Also available in: Atom
[mod_openssl] ignore client verification error if not enforced
ignore client verification error if not enforced
e.g. not ssl.verifyclient.enforce = "enable"
github: closes #83
x-ref:
"ignore client verification error if not enforced"
https://github.com/lighttpd/lighttpd1.4/pull/83