FS#60294 - [lighttpd] openssl-1.1.1-1 broke lighttpd-1.4.50-1

Attached to Project: Arch Linux
Opened by Manhong Dai (daimh) - Wednesday, 03 October 2018, 19:05 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 21 October 2018, 16:27 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

After 'pacman -Syu', lighttpd error log shows

"2018-10-03 13:31:04: (mod_openssl.c.1419) SSL: renegotiation initiated by client, killing connection"


Downgraded openssl from 1.1.1.1 to 1.1.0.i solved lightttpd's problem, but many programs depending on OPENSSL_1_1_1 fail now.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Sunday, 21 October 2018, 16:27 GMT
Reason for closing:  Fixed
Additional comments about closing:  lighttpd 1.4.51-1
Comment by sgar (garnica) - Thursday, 04 October 2018, 09:00 GMT
I have seen the same behaviour on my machine..

I think it is related to the SNI option on the new openssl.. but i couldnt manage to get it working..

similar bugs:
https://bugs.archlinux.org/task/60038
https://bugs.archlinux.org/task/60059
https://bugs.archlinux.org/task/60078

Comment by loqs (loqs) - Thursday, 04 October 2018, 14:21 GMT
Has the issue been reported upstream?
Comment by Florian Bruhin (The-Compiler) - Friday, 05 October 2018, 11:00 GMT
I've not seen any upstream report, so I opened one here: https://redmine.lighttpd.net/issues/2912

Note that downgrading your OpenSSL package also will break pacman unless you downgrade curl as well:

# pacman -U https://archive.archlinux.org/packages/o/openssl/openssl-1.1.0.i-1-x86_64.pkg.tar.xz https://archive.archlinux.org/packages/c/curl/curl-7.61.1-1-x86_64.pkg.tar.xz

Pretty sure that'll break other stuff as well, though. Maybe as a workaround it's possible to compile OpenSSL 1.1.1 without TLS 1.3 support?
Comment by Florian Bruhin (The-Compiler) - Friday, 05 October 2018, 11:56 GMT
Yup, rebuilding openssl and adding “no-tls1_3" to the Configure arguments also makes things work.
Comment by sgar (garnica) - Saturday, 06 October 2018, 10:29 GMT
I have also test the provisional patch posted on the lighttpd thread
https://redmine.lighttpd.net/issues/2912#note-5
and it seems to solve the issue..
Comment by Florian Bruhin (The-Compiler) - Monday, 08 October 2018, 08:59 GMT
Upstream has now commited a patch: https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff/src/mod_openssl.c

It seems to be the same that was posted in the bug report earlier, which I tested against the Arch package and it applies cleanly and fixes the issue. Unfortunately, the "unified diff" link seems to be broken...
Comment by Manhong Dai (daimh) - Tuesday, 16 October 2018, 14:00 GMT
I verified that lighttpd 1.4.51-1 fixed this issue.

Loading...