Project

General

Profile

1.4.68

closed

2023-01-03

100%

3 issues   (3 closed — 0 open)

Release Info

  • Version: 1.4.68
  • Previous version: 1.4.67
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: gstrauss
  • Released date: 2023-01-03

Important changes from 1.4.67

  • stronger TLS defaults (as previously announced)
  • KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled
  • removal of deprecated modules

Behavior Changes (previously announced)

  • TLS modules now default to using stronger, modern ciphers and
    will default to allow client preference in selecting ciphers.
    Allowing client preference in selecting ciphers is safe to do along
    with restrictions to use modern ciphers supporting PFS, and is
    better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using
    `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
    the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    new defaults:
    "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384",
    "Options" => "-ServerPreference"
    old defaults:
    "CipherString" => "HIGH",
    "Options" => "ServerPreference"
  • Deprecated TLS options have been removed.
    - ssl.honor-cipher-order
    - ssl.dh-file
    - ssl.ec-curve
    - ssl.disable-client-renegotiation
    - ssl.use-sslv2
    - ssl.use-sslv3
    See https://wiki.lighttpd.net/Docs_SSL for replacements with
    `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of "mini-application" lighttpd modules
    for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

Behavior Changes (not previously announced)

  • meson build: some opts have changed from type: 'boolean' to type: 'feature';
    build scripts using -D with_example=true or =false need to change some opts
    to =enabled, =disabled, or =auto
  • mod_magnet: removed experimental lighty.r.req_attr["response.*"] accessors
    (added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022))
    (see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
  • remove libev fdevent option (ignore)
    lighttpd directly uses native OS event handlers

Future Scheduled Behavior Changes

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.
    Separate dynamic modules are still built for the benefit of existing
    packaging scripts in various distributions, but those modules are not used.
    A future version of lighttpd will omit building separate modules for:
    mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile
    mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Downloads

Changes from 1.4.67

  • [cmake] compile lemon with native cc for x-compile
  • [cmake] install man pages with CMake
  • [cmake] let CMake handle the version number
  • [cmake] set LIGHTTPD_VERSION_ID per version
  • [meson] set LIGHTTPD_VERSION_ID per version
  • [meson] add missing meson_version
  • [meson] use feature options
  • [meson] turn pcre into a combo option
  • [meson] simplify header checking
  • [meson] add wrapdb instructions
  • [lighttpd-angel] waitpid after HUP before restart
  • [core] use inotify_init() if missing IN_* defines
  • [core] keep sockets w/ server.graceful-restart-bg
  • [TLS] ssl.openssl.ssl-conf-cmd "DHParameters"
  • [mod_wolfssl] check for cert must_staple
  • [mod_mbedtls] config renegotiation;not recommended
  • [mod_alias] fix typo in config error message
  • [mod_proxy,mod_cgi] fix dummy Sec-WebSocket-Key
  • [mod_wolfssl] cast to fix compile error
  • [TLS] try DER format if reading PEM format fails
  • [mod_openssl] libressl 3.6.0 ASN1_TIME_cmp_time_t
  • [mod_deflate] skip cache for Cache-Control: private,no-store
  • [mod_webdav] minor cleanups and adjustments
  • [core] http_response_body_clear clears body flags
  • [core] ignore server.max-worker = 1
  • [doc/scripts/cert-staple.sh] *BSD date portability
  • [doc/scripts/cert-staple.sh] short-circuit checks
  • [doc/scripts/cert-staple.sh] add copyright header
  • [meson] fix wrong array
  • [meson] replace most has_function calls with loop
  • [meson] use non string true/false
  • [meson] use files()
  • [meson] remove use of non-existent win32 xgetopt.c
  • [meson] update comment for opts w/ type 'feature'
  • [core] fix crash for invalid lighttpd.conf (fixes #3175)
  • [build] do not check for pthread.h
  • [cmake] use find_package() to include the PkgConfig module
  • [cmake] use GNUInstallDirs to set defaults for several directories
  • [cmake] use FindOpenSSL cmake module to search for OpenSSL
  • [cmake] remove wolfssl code that would already be handled by CMake
  • [cmake] improve searching for PostgreSQL
  • [cmake] remove needless arguments from xconfig macro
  • [cmake] prefer libpcre.pc over pcre-config
  • [cmake] use CMake's provided FindZLIB
  • [cmake] use CMake's provided FindBZip2
  • [cmake] remove path hints where CMake searches by default
  • [cmake] remove use of non-existent win32 xgetopt.c
  • [mod_openssl] mod_openssl_write_err() shared code
  • [mod_openssl] use SSL_sendfile() if KTLS available
  • [mod_gnutls] use gnutls_record_send_file() if KTLS
  • [TLS] handle '+' on ssl-conf-cmd "Options"
  • [TLS] upgrade default cipher list to stronger set
  • [TLS] simplify TLS config; remove deprecated opts
  • [multiple] remove deprecated modules
  • [mod_magnet] remove lighty.r.req_attr["response.*"]
  • [core] remove libev fdevent option (ignore)
  • [core] _WIN32 impl of plugins_load()
  • [core] check for built-in plugins before dlopen
  • [core] build core modules into lighttpd executable
  • [core] reduce M_TOP_PAD to default on small system
  • [multiple] mark mod_*_plugin_init() funcs cold
  • [core] check ifndef NDEBUG before setting NDEBUG
  • [core] server_main_setup_signals() separate func
  • [core] server_main_setup_workers() separate func
  • [core] server_main_setup() variable scoping
  • [core] ck_calloc() ck_malloc() ck_realloc_u32()
  • [multiple] employ ck_realloc_u32() shared code
  • [core] mark gw_proc_free() cold
  • [core] use data_config_list for config
  • [build] omit unused vector.[ch] from build
  • [mod_wstunnel] store value in tmp before byteswap
  • [core] log_buffer_vsprintf tweaks
  • [multiple] employ ck_calloc, ck_malloc shared code
  • [core] create non-inlined vector_resize()
  • [lighttpd-angel] remove unused includes
  • [core] chunk.c tweaks
  • [core] config_check_cond_nocache_eval() tweak
  • [mod_openssl] CLOSE_NOTIFY handling with KTLS
  • [mod_wolfssl] match mod_openssl CLOSE_NOTIFY
  • [core] ignore config dir-listing.* if not enabled
  • [doc] default lighttpd.conf: omit server.use-ipv6
  • [lighttpd-angel] simplify
  • [tests] disable auth.delay-invalid-creds for tests
  • [mod_deflate] "deflate" should include zlib header
  • [tests] fix "deflate" tests for added zlib header
  • [tests] disable Nagle on client, remove sleeps
  • [core] save ptr to avoid static analyzer realloc warn
  • [core] wrap server_main_setup_workers w/ HAVE_FORK
  • [core] temporarily disable O_NOFOLLOW on Cygwin

External references

Issues by
Bug

3/3