search

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
369 stars 60 forks source link

lighttpd: ssl-conf-cmd fails with openssl 1.1.1c #43

Closed LeSpocky closed 5 years ago

LeSpocky commented 5 years ago

When upgrading from Debian GNU/Linux 9 (stretch) to 10 (buster) lighttpd was upgraded from 1.4.45 to 1.4.53 and openssl from 1.1.0k to 1.1.1c. The following line generated by the ssl-config-generator worked with the old combination:

ssl.openssl.ssl-conf-cmd = ("Protocol" => "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1")

However that fails on the new versions with this error:

root@troubadix ~ # lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2019-07-16 11:17:16: (mod_openssl.c.722) SSL: SSL_CONF_cmd Protocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 : error:1414E180:SSL routines:SSL_CONF_cmd:bad value
2019-07-16 11:17:16: (server.c.1183) Initialization of plugins failed. Going down.

It works if I change the line that way (based on a config snippet from this blog post:

ssl.openssl.ssl-conf-cmd = ("Protocol" => "all, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")

Not sure if this is a problem of lighttpd or openssl, though.

april commented 5 years ago

Is the difference simply adding commas? Thanks for letting me know!

LeSpocky commented 5 years ago

Yes, I just added those commas.