Project

General

Profile

Actions

Release Info

  • Version: 1.4.75
  • Previous version: 1.4.74
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: gstrauss
  • Released date: 2024-03-13

Important changes from 1.4.74

incrementally stronger TLS cipher defaults; bugs fixes

Downloads

Behavior Changes (previously announced)

  • TLS cipher defaults have been incrementally updated to stronger defaults
    New defaults are forward-secret and support authenticated encryption (AEAD)
    New defaults: openssl ciphers 'EECDH+AESGCM:CHACHA20:!PSK:!DHE'
    Previous defaults: openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
    Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
    (and supported clients, i.e. those which have not already reached end-of-life).
    Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
    changed from 301 Moved Permanently to 308 Permanent Redirect
    (only if url.redirect is not explicitly set in lighttpd.conf)
    RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
    (published almost 9 years ago)

Future Scheduled Behavior Changes (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3
    Other configurations will still be supported, but will not be the default.
    Proposed default: MinProtocol TLSv1.3
    Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404
    (historical error: server.error-handler-404 operated on both 404 and 403)
    Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
    to produce dynamic error pages for 4xx and 5xx responses.
    Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
    is an additional, high performance mechanism to produce dynamic error pages.
    https://wiki.lighttpd.net/mod_magnet

Changes from 1.4.74

  • [mod_redirect] url.redirect-code = 308 new default
  • [ls-hpack] more portability fixes for sys/queue.h
  • [ls-hpack] update version to 2.3.3
  • [TLS] default to stronger ciphers w/ PFS and AEAD
  • [ci] apt-get install build-essential on Ubuntu
  • [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
  • [mod_authn_sasl] translate SASL_LOG_* to syslog
  • [build] include src/compat/sys/queue.h in tarball
  • [core] fdlog_openlog(), fdlog_closelog()
  • [mod_accesslog] fdlog_openlog() if using syslog
  • [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
  • [ci] limit github ci to specific branches
  • [ci] prefer non-login shell for Cygwin CI build
  • [ci] prefer dash for Cygwin and MSYS2 builds
  • [mod_wstunnel] fix server.ping-interval w/ HTTP/2
  • [mod_dirlisting] fix suffix display of '/' on file (fixes #3242)
  • [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
  • [mod_openssl] faster ASN1_TIME parse
  • [mod_wolfssl] faster ASN1_TIME parse
  • [doc] update TLS comment in sample lighttpd.conf

External references

Updated by gstrauss 8 months ago · 1 revisions