** Description changed: - [Impact] - * TLSv1.3 (which is enabled by default) connections are getting killed + * TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation. [Test Case] - * Create lighttpd server, attempt to connect via tlsv1.3 - * Connection should succeed. + * Create lighttpd server, attempt to connect via tlsv1.3 + * Connection should succeed. + + Sample lighttpd.conf: + + server.port = 443 + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/server.pem" + + Where server.pem is concat of snakeoil cert + private key. + + Attempting curl to lighttpd results in: + + # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd + curl: (52) Empty reply from server + + # grep 'killing' /var/log/lighttpd/error.log + 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + [Regression Potential] - * TLSv1.3 connections attempt client renegotiation when they should + * TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions. [Upstream Link] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff [Original Bugreport] After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form: 2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.ssl-conf-cmd directive to try to disable it.) Description: Ubuntu 18.04.2 LTS Release: 18.04 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: lighttpd 1.4.45-1ubuntu3 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Tue Jun 11 14:18:55 2019 SourcePackage: lighttpd UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago) modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified] modified.conffile..etc.lighttpd.lighttpd.conf: [modified] mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf: 2015-07-16T10:18:19.857892 mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213
** Description changed: [Impact] * TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation. [Test Case] * Create lighttpd server, attempt to connect via tlsv1.3 * Connection should succeed. Sample lighttpd.conf: server.port = 443 ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem" Where server.pem is concat of snakeoil cert + private key. Attempting curl to lighttpd results in: # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd curl: (52) Empty reply from server - # grep 'killing' /var/log/lighttpd/error.log - 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + # grep 'killing' /var/log/lighttpd/error.log + 2019-06-25 09:40:15: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection + Upgrade to new lighttpd, repeat curl, and now get the download of the + home-page: + + # curl --cacert /etc/ssl/certs/ssl-cert-snakeoil.pem https://apt-kitten.lxd + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> + <html xmlns="http://www.w3.org/1999/xhtml";> + <head> + ... [Regression Potential] * TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions. [Upstream Link] https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff [Original Bugreport] After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form: 2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.ssl-conf-cmd directive to try to disable it.) Description: Ubuntu 18.04.2 LTS Release: 18.04 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: lighttpd 1.4.45-1ubuntu3 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 Date: Tue Jun 11 14:18:55 2019 SourcePackage: lighttpd UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago) modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified] modified.conffile..etc.lighttpd.lighttpd.conf: [modified] mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf: 2015-07-16T10:18:19.857892 mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832295 Title: lighttpd broken by OpenSSL update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
