Fix released in Disco and Eoan.
Affected series are Bionic and Cosmic.
** Also affects: lighttpd (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: lighttpd (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Changed in: lighttpd (Ubuntu Bionic)
Importance: Undecided => Critical
** Changed in: lighttpd (Ubuntu Cosmic)
Importance: Undecided => Critical
** Changed in: lighttpd (Ubuntu Bionic)
Status: New => In Progress
** Changed in: lighttpd (Ubuntu Cosmic)
Status: New => In Progress
** Changed in: lighttpd (Ubuntu)
Status: Confirmed => Fix Released
** Also affects: lighttpd (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913558
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #913251
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913251
** Changed in: lighttpd (Debian)
Remote watch: Debian Bug tracker #913558 => Debian Bug tracker #913251
** Description changed:
+
+ [Impact]
+
+ * TLSv1.3 (which is enabled by default) connections are getting killed
+ instead of succeeding negotiation.
+
+ [Test Case]
+
+ * Create lighttpd server, attempt to connect via tlsv1.3
+ * Connection should succeed.
+
+ [Regression Potential]
+
+ * TLSv1.3 connections attempt client renegotiation when they should
+ not, as that's not supported anymore. Currently, connections are getting
+ killed instead of succeeding. This change is a backport from a later
+ v1.4 series point release, hence the file paths don't match the original
+ and variables are renamed, however, the affected codepath appears to
+ still be the same-ish. Hence the patch should be review for rebase
+ correctness as there is room for error in handling client renegotiation
+ with prior tls versions.
+
+ [Upstream Link]
+
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff
+
+ [Original Bugreport]
+
After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 ->
1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in
lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form:
2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation
initiated by client, killing connection
Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd
is too old to have the ssl.openssl.ssl-conf-cmd directive to try to
disable it.)
-
Description: Ubuntu 18.04.2 LTS
Release: 18.04
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: lighttpd 1.4.45-1ubuntu3
ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Tue Jun 11 14:18:55 2019
SourcePackage: lighttpd
UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago)
modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified]
modified.conffile..etc.lighttpd.lighttpd.conf: [modified]
mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf:
2015-07-16T10:18:19.857892
mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1832295
Title:
lighttpd broken by OpenSSL update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
