search

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
369 stars 60 forks source link

lighttpd: does not support more than one curve? #44

Closed LeSpocky closed 5 years ago

LeSpocky commented 5 years ago

When upgrading from Debian GNU/Linux 9 (stretch) to 10 (buster) lighttpd was upgraded from 1.4.45 to 1.4.53 and openssl from 1.1.0k to 1.1.1c.

For lighttpd 1.4.45 then generator gives this line:

ssl.ec-curve              = "prime256v1"

For lighttpd 1.4.53 the following is generated:

ssl.ec-curve              = "X25519:prime256v1:secp384r1"

That however leads to this error:

root@troubadix ~ # lighttpd -tt -f /etc/lighttpd/lighttpd.conf
2019-07-16 11:29:30: (mod_openssl.c.1038) SSL: Unknown curve name X25519:prime256v1:secp384r1 
2019-07-16 11:29:30: (server.c.1183) Initialization of plugins failed. Going down.

From a quick look at the lighttpd source code I would say only one curve is supported or OpenSSL 1.1.1c does not understand that string. What works is this (found in every example on this parameter I found on the web, though):

ssl.ec-curve              = "secp384r1"
april commented 5 years ago

Oh, huh. That's kinda poopy. In that case, I guess it makes sense to remove the line entirely and let it choose from its list of curves. Thanks for letting me know!