recognize and translate a common recommended cipherstring
"ECDHE+AESGCM:ECDHE+AES256:CHACHA20:!SHA1:!SHA256:!SHA384"
(basically: ECDHE+AESGCM:ECDHE+AES256:CHACHA20
without CBC ciphers reported as weak by SSLLabs)
(thx daimh)
commit 903024d7 in lighttpd 1.4.57 fixed issue #3046 but in the process
broke HTTP/1.1 101 Switching Protocols which included Content-Length: 0
in the response headers. Content-Length response header is permitted
by the RFCs, but not necessary with HTTP status 101 Switching Protocols.
x-ref:
"websocket proxy fails if 101 Switching Protocols from backend includes Content-Length"
https://redmine.lighttpd.net/issues/3063
(thx axe34)
do not call luaL_error() outside lua_pcall()
In magnet_attach_content(), call log_error() to report error,
not luaL_error(), and set flag to exit loop to allow the proper
number of entries to be popped off the lua stack.
x-ref:
"Segmentation Fault due to Empty String on Mod Magnet"
https://redmine.lighttpd.net/issues/3065
(thx axe34)
Be more careful inside the atpanic handler to avoid an infinite loop
that repeats the call to the atpanic handler
x-ref:
"Segmentation Fault due to Empty String on Mod Magnet"
https://redmine.lighttpd.net/issues/3065
(thx axe34)
Anyone running lua code inside the lighttpd server has control over
the lighttpd server, so this commit does not protect against
malicious behavior, but instead this commit more gracefully handles
a lua programmer mistake of attempting to stat() an empty string.
x-ref:
"Server Aborted due to Malicious Data sent to lighty.stat"
https://redmine.lighttpd.net/issues/3064
(removed two commits ago)
must check selected ALPN after client hello has completed
for case where hctx->conf.ssl_acme_tls_1 is not enabled
or else ALPN "h2" will not be detected
(thx axe34)
Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile. If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"
x-ref:
"Server Aborted due to Malicious Data sent through CGI Sendfile"
https://redmine.lighttpd.net/issues/3062
mbedtls does not provide a callback for ALPN and expects certificate to
be set in SNI callback (if set), while still in MBEDTLS_SSL_CLIENT_HELLO
state. Waiting until after MBEDTLS_SSL_CLIENT_HELLO would be fine for
using ALPN for "h2", but is too late to set acme-tls/1 challenge cert.
Therefore, parse client hello for ALPN prior to initiating mbedtls
processing of handshake.
recognize and translate a common recommended cipherstring
"EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
(basically: EECDH+AESGCM:AES256+EECDH:CHACHA20
without CBC ciphers reported as weak by SSLLabs)
tighten struct data_config and config_cond_info
create config key at startup and reuse for debug/trace
separate routine for configparser_parse_condition()
separate routine for configparser_parse_else_condition()
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)
x-ref:
"OCSP Stapling reload seems not to work"
https://redmine.lighttpd.net/issues/3056
(thx Dirk) (reported on FreeBSD)
HTTP/1.1 requests might end up spinning if traffic limits are configured
(connection.kbytes-per-second)
(server.kbytes-per-second)
con->is_readable and con->is_writable might be set to -1 by TLS modules
which encounter SSL_WANT_READ or SSL_WANT_WRITE. Either might occur
during read or write, and so -1 was used to flag this.
However, code which used con->is_readable and con->is_writable now needs
to check for value > 0 rather than treating value as a boolean.
flagged by coverity
final segment of colon (':') separated string was being ignored
in some TLS config strings in mod_gnutls and mod_mbedtls
workaround: add ':' at end of config string (or apply this patch)
Glenn Strauss