Actions
Release Info¶
- Version: 1.4.75
- Previous version: 1.4.74
- Branch: 1.4
- Status: stable
- Release Purpose: bug fixes
- Release manager: gstrauss
- Released date: 2024-03-13
Important changes from 1.4.74¶
incrementally stronger TLS cipher defaults; bugs fixes
Downloads¶
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz.asc
- SHA256:
283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz.asc
- SHA256:
8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6
- SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha256sum
- SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha512sum
Behavior Changes (previously announced)¶
- TLS cipher defaults have been incrementally updated to stronger defaults
New defaults are forward-secret and support authenticated encryption (AEAD)
New defaults: openssl ciphers 'EECDH+AESGCM:CHACHA20:!PSK:!DHE'
Previous defaults: openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/ - mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)
Future Scheduled Behavior Changes (2025)¶
- lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2 - server.error-handler-404 will operate only on 404
(historical error: server.error-handler-404 operated on both 404 and 403)
Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
to produce dynamic error pages for 4xx and 5xx responses.
Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
is an additional, high performance mechanism to produce dynamic error pages.
https://wiki.lighttpd.net/mod_magnet
Changes from 1.4.74¶
- [mod_redirect] url.redirect-code = 308 new default
- [ls-hpack] more portability fixes for sys/queue.h
- [ls-hpack] update version to 2.3.3
- [TLS] default to stronger ciphers w/ PFS and AEAD
- [ci] apt-get install build-essential on Ubuntu
- [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
- [mod_authn_sasl] translate SASL_LOG_* to syslog
- [build] include src/compat/sys/queue.h in tarball
- [core] fdlog_openlog(), fdlog_closelog()
- [mod_accesslog] fdlog_openlog() if using syslog
- [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
- [ci] limit github ci to specific branches
- [ci] prefer non-login shell for Cygwin CI build
- [ci] prefer dash for Cygwin and MSYS2 builds
- [mod_wstunnel] fix server.ping-interval w/ HTTP/2
- [mod_dirlisting] fix suffix display of '/' on file (fixes #3242)
- [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
- [mod_openssl] faster ASN1_TIME parse
- [mod_wolfssl] faster ASN1_TIME parse
- [doc] update TLS comment in sample lighttpd.conf
External references¶
Updated by gstrauss 8 months ago · 1 revisions