Release Info¶

• Version: 1.4.75
• Previous version: 1.4.74
• Branch: 1.4
• Status: stable
• Release Purpose: bug fixes
• Release manager: gstrauss
• Released date: 2024-03-13

Important changes from 1.4.74¶

incrementally stronger TLS cipher defaults; bugs fixes

Downloads¶

• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz.asc
  • SHA256: 283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz.asc
  • SHA256: 8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6
• SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha256sum
• SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha512sum

Behavior Changes (previously announced)¶

• TLS cipher defaults have been incrementally updated to stronger defaults
  New defaults are forward-secret and support authenticated encryption (AEAD)
  New defaults: openssl ciphers 'EECDH+AESGCM:CHACHA20:!PSK:!DHE'
  Previous defaults: openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
  Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
  (and supported clients, i.e. those which have not already reached end-of-life).
  Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
• mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
  changed from 301 Moved Permanently to 308 Permanent Redirect
  (only if url.redirect is not explicitly set in lighttpd.conf)
  RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
  (published almost 9 years ago)

Future Scheduled Behavior Changes (2025)¶

• lighttpd TLS defaults will change to MinProtocol TLSv1.3
  Other configurations will still be supported, but will not be the default.
  Proposed default: MinProtocol TLSv1.3
  Current default: MinProtocol TLSv1.2
• server.error-handler-404 will operate only on 404
  (historical error: server.error-handler-404 operated on both 404 and 403)
  Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
  to produce dynamic error pages for 4xx and 5xx responses.
  Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
  is an additional, high performance mechanism to produce dynamic error pages.
  https://wiki.lighttpd.net/mod_magnet

Changes from 1.4.74¶

• [mod_redirect] url.redirect-code = 308 new default
• [ls-hpack] more portability fixes for sys/queue.h
• [ls-hpack] update version to 2.3.3
• [TLS] default to stronger ciphers w/ PFS and AEAD
• [ci] apt-get install build-essential on Ubuntu
• [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
• [mod_authn_sasl] translate SASL_LOG_* to syslog
• [build] include src/compat/sys/queue.h in tarball
• [core] fdlog_openlog(), fdlog_closelog()
• [mod_accesslog] fdlog_openlog() if using syslog
• [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
• [ci] limit github ci to specific branches
• [ci] prefer non-login shell for Cygwin CI build
• [ci] prefer dash for Cygwin and MSYS2 builds
• [mod_wstunnel] fix server.ping-interval w/ HTTP/2
• [mod_dirlisting] fix suffix display of '/' on file (fixes #3242)
• [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
• [mod_openssl] faster ASN1_TIME parse
• [mod_wolfssl] faster ASN1_TIME parse
• [doc] update TLS comment in sample lighttpd.conf

External references¶

• https://www.lighttpd.net/2024/3/13/1.4.75