[Bug 1832295] Re: lighttpd broken by OpenSSL update
** Tags added: bionic-openssl-1.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
This bug was fixed in the package lighttpd - 1.4.45-1ubuntu3.18.04 --- lighttpd (1.4.45-1ubuntu3.18.04) bionic; urgency=medium * Cherrypick and rebase upstream patch to disable client renegotiation with TLSv1.3 connections. LP: #1832295 -- Dimitri John Ledkov Mon, 24 Jun 2019 23:58:56 +0100 ** Changed in: lighttpd (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
This bug was fixed in the package lighttpd - 1.4.45-1ubuntu3.18.10 --- lighttpd (1.4.45-1ubuntu3.18.10) cosmic; urgency=medium * Cherrypick and rebase upstream patch to disable client renegotiation with TLSv1.3 connections. LP: #1832295 -- Dimitri John Ledkov Mon, 24 Jun 2019 23:58:56 +0100 ** Changed in: lighttpd (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
The version in proposed works for me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Reproducing on cosmic: # dpkg-query -W lighttpd lighttpd1.4.45-1ubuntu3 # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://composed-cattle.lxd &>/dev/null && echo Pass || echo Fail Fail # sed 's/-updates/-proposed/' -i /etc/apt/sources.list # apt update # apt install lighttpd # dpkg-query -W lighttpd lighttpd1.4.45-1ubuntu3.18.10 # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://composed-cattle.lxd &>/dev/null && echo Pass || echo Fail Pass All is good in cosmic-proposed. ** Tags removed: verification-needed verification-needed-cosmic ** Tags added: verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Reproducing on bionic: # dpkg-query -W lighttpd lighttpd1.4.45-1ubuntu3 # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://diverse-basilisk.lxd &>/dev/null && echo Pass || echo Fail Fail # sed 's/-updates/-proposed/' -i /etc/apt/sources.list # apt update # apt install lighttpd # dpkg-query -W lighttpd lighttpd1.4.45-1ubuntu3.18.04 # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://diverse-basilisk.lxd &>/dev/null && echo Pass || echo Fail Pass All is good in bionic-proposed. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Hello Jim, or anyone else affected, Accepted lighttpd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lighttpd/1.4.45-1ubuntu3.18.04 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: lighttpd (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic ** Changed in: lighttpd (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
** Description changed: - [Impact] - * TLSv1.3 (which is enabled by default) connections are getting killed + * TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation. [Test Case] - * Create lighttpd server, attempt to connect via tlsv1.3 - * Connection should succeed. + * Create lighttpd server, attempt to connect via tlsv1.3 + * Connection should succeed. + + Sample lighttpd.conf: + + server.port = 443 + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/server.pem" + + Where server.pem is concat of snakeoil cert + private key. + + Attempting curl to lighttpd results in: + + # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd + curl: (52) Empty reply from server + + # grep 'killing' /var/log/lighttpd/error.log + 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + [Regression Potential] - * TLSv1.3 connections attempt client renegotiation when they should + * TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions. [Upstream Link] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff [Original Bugreport] After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form: 2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.ssl-conf-cmd directive to try to disable it.) Description: Ubuntu 18.04.2 LTS Release: 18.04 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: lighttpd 1.4.45-1ubuntu3 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Tue Jun 11 14:18:55 2019 SourcePackage: lighttpd UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago) modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified] modified.conffile..etc.lighttpd.lighttpd.conf: [modified] mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf: 2015-07-16T10:18:19.857892 mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213 ** Description changed: [Impact] * TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation. [Test Case] * Create lighttpd server, attempt to connect via tlsv1.3 * Connection should succeed. Sample lighttpd.conf: server.port = 443 ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem" Where server.pem is concat of snakeoil cert + private key. Attempting curl to lighttpd results in: # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd curl: (52) Empty reply from server - # grep 'killing' /var/log/lighttpd/error.log - 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + # grep 'killing' /var/log/lighttpd/error.log + 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + Upgrade to new lighttpd, repeat curl, and now get the download of the + home-page: + + # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd + http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> + http://www.w3.org/1999/xhtml;> + + ... [Regression Potential] * TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions. [Upstream Link] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff [Original Bugreport] After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries)
[Bug 1832295] Re: lighttpd broken by OpenSSL update
** Changed in: lighttpd (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Fix released in Disco and Eoan. Affected series are Bionic and Cosmic. ** Also affects: lighttpd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: lighttpd (Ubuntu Cosmic) Importance: Undecided Status: New ** Changed in: lighttpd (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: lighttpd (Ubuntu Cosmic) Importance: Undecided => Critical ** Changed in: lighttpd (Ubuntu Bionic) Status: New => In Progress ** Changed in: lighttpd (Ubuntu Cosmic) Status: New => In Progress ** Changed in: lighttpd (Ubuntu) Status: Confirmed => Fix Released ** Also affects: lighttpd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913558 Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #913251 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913251 ** Changed in: lighttpd (Debian) Remote watch: Debian Bug tracker #913558 => Debian Bug tracker #913251 ** Description changed: + + [Impact] + + * TLSv1.3 (which is enabled by default) connections are getting killed + instead of succeeding negotiation. + + [Test Case] + + * Create lighttpd server, attempt to connect via tlsv1.3 + * Connection should succeed. + + [Regression Potential] + + * TLSv1.3 connections attempt client renegotiation when they should + not, as that's not supported anymore. Currently, connections are getting + killed instead of succeeding. This change is a backport from a later + v1.4 series point release, hence the file paths don't match the original + and variables are renamed, however, the affected codepath appears to + still be the same-ish. Hence the patch should be review for rebase + correctness as there is room for error in handling client renegotiation + with prior tls versions. + + [Upstream Link] + https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff + + [Original Bugreport] + After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form: 2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.ssl-conf-cmd directive to try to disable it.) - Description: Ubuntu 18.04.2 LTS Release: 18.04 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: lighttpd 1.4.45-1ubuntu3 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Tue Jun 11 14:18:55 2019 SourcePackage: lighttpd UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago) modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified] modified.conffile..etc.lighttpd.lighttpd.conf: [modified] mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf: 2015-07-16T10:18:19.857892 mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
> Temporary solution is to define `ssl.disable-client-renegotiation = "disable"` > But it's not safe. Actually that should be the new default. Client-renegotiation is no longer supported at all, and shouldn't be neither offered or accepted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
** Changed in: lighttpd (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Got that issue too. All site using https were down. Temporary solution is to define `ssl.disable-client-renegotiation = "disable"` But it's not safe. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
To eliminate further downtime, I built/installed lighttpd 1.4.54 which resolved the problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Simply rebuilding the source deb against the new libraries isn't enough to make it work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lighttpd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832295] Re: lighttpd broken by OpenSSL update
A Debian bug suggests that lighttpd < 1.4.51 is broken by libssl 1.1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913558 ** Bug watch added: Debian Bug tracker #913558 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913558 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs