FS#60294 : [lighttpd] openssl-1.1.1-1 broke lighttpd-1.4.50-1

FS#60294 - [lighttpd] openssl-1.1.1-1 broke lighttpd-1.4.50-1

Attached to Project: Arch Linux
Opened by Manhong Dai (daimh) - Wednesday, 03 October 2018, 19:05 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 21 October 2018, 16:27 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	3 kpcyrd (kpcyrd) (2018-10-14) David Phillips (phillid) (2018-10-06) sgar (garnica) (2018-10-04)
Private	No

Details

Description:

After 'pacman -Syu', lighttpd error log shows

"2018-10-03 13:31:04: (mod_openssl.c.1419) SSL: renegotiation initiated by client, killing connection"

Downgraded openssl from 1.1.1.1 to 1.1.0.i solved lightttpd's problem, but many programs depending on OPENSSL_1_1_1 fail now.

This task depends upon

Closed by Doug Newgard (Scimmia)
Sunday, 21 October 2018, 16:27 GMT
Reason for closing: Fixed
Additional comments about closing: lighttpd 1.4.51-1

Comment by sgar (garnica) - Thursday, 04 October 2018, 09:00 GMT

I have seen the same behaviour on my machine..

I think it is related to the SNI option on the new openssl.. but i couldnt manage to get it working..

similar bugs:
https://bugs.archlinux.org/task/60038
https://bugs.archlinux.org/task/60059
https://bugs.archlinux.org/task/60078

Comment by loqs (loqs) - Thursday, 04 October 2018, 14:21 GMT

Has the issue been reported upstream?

Comment by Florian Bruhin (The-Compiler) - Friday, 05 October 2018, 11:00 GMT

I've not seen any upstream report, so I opened one here: https://redmine.lighttpd.net/issues/2912

Note that downgrading your OpenSSL package also will break pacman unless you downgrade curl as well:

# pacman -U https://archive.archlinux.org/packages/o/openssl/openssl-1.1.0.i-1-x86_64.pkg.tar.xz https://archive.archlinux.org/packages/c/curl/curl-7.61.1-1-x86_64.pkg.tar.xz

Pretty sure that'll break other stuff as well, though. Maybe as a workaround it's possible to compile OpenSSL 1.1.1 without TLS 1.3 support?

Comment by Florian Bruhin (The-Compiler) - Friday, 05 October 2018, 11:56 GMT

Yup, rebuilding openssl and adding “no-tls1_3" to the Configure arguments also makes things work.

Comment by sgar (garnica) - Saturday, 06 October 2018, 10:29 GMT

I have also test the provisional patch posted on the lighttpd thread
https://redmine.lighttpd.net/issues/2912#note-5
and it seems to solve the issue..

Comment by Florian Bruhin (The-Compiler) - Monday, 08 October 2018, 08:59 GMT

Upstream has now commited a patch: https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/7a7f4f987aa8443aa3898f484539f707e213bcba/diff/src/mod_openssl.c

It seems to be the same that was posted in the bug report earlier, which I tested against the Arch package and it applies cleanly and fixes the issue. Unfortunately, the "unified diff" link seems to be broken...

Comment by Manhong Dai (daimh) - Tuesday, 16 October 2018, 14:00 GMT

I verified that lighttpd 1.4.51-1 fixed this issue.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#60403 - [lighttpd] https is broken unless tls1.3 is disabled~~

Arch Linux

FS#60294 - [lighttpd] openssl-1.1.1-1 broke lighttpd-1.4.50-1

Details

Loading...