[TLS] inherit ssl.engine from global scope

Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions.  When ssl.engine = "enable" in lighttpd.conf
global scope, the missing reset in network.c required non-TLS ports
(e.g. $SERVER["socket"] == ":80") to contain ssl.engine = "disable"
in order for requests to those ports to be served rather than erroring.

(This error was discovered during collaboration with jens-maus in
 https://github.com/jens-maus/RaspberryMatic/pull/1847)

There have been zero other instances of this error reported since the
release of lighttpd 1.4.56 in Nov 2020.

Therefore, having ssl.engine = "enable" inherited from the global scope
is unlikely to have any widespread impact in practice, and enabling
ssl.engine = "enable" (along with TLS certificate configuration) is now
recommended as default.  When ssl.engine = "enable" in the global scope,
ssl.engine = "disable" should be specified in those $SERVER["socket"]
conditions where clear-text is desired.
master
Glenn Strauss 6 months ago
parent da8025fb30
commit 833f6aa4c0
  1. 6
      src/mod_gnutls.c
  2. 6
      src/mod_mbedtls.c
  3. 6
      src/mod_nss.c
  4. 6
      src/mod_openssl.c
  5. 6
      src/mod_wolfssl.c

@ -1955,12 +1955,6 @@ mod_gnutls_set_defaults_sockets(server *srv, plugin_data *p)
plugin_config_socket conf;
memcpy(&conf, &defaults, sizeof(conf));
/*(preserve prior behavior; not inherited)*/
/*(forcing inheritance might break existing configs where SSL is enabled
* by default in the global scope, but not $SERVER["socket"]=="*:80") */
conf.ssl_enabled = 0;
config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
/* ignore ssl.pemfile (k_id=6); included to process global scope */

@ -1667,12 +1667,6 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
plugin_config_socket conf;
memcpy(&conf, &defaults, sizeof(conf));
/*(preserve prior behavior; not inherited)*/
/*(forcing inheritance might break existing configs where SSL is enabled
* by default in the global scope, but not $SERVER["socket"]=="*:80") */
conf.ssl_enabled = 0;
config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
/* ignore ssl.pemfile (k_id=6); included to process global scope */

@ -1783,12 +1783,6 @@ mod_nss_set_defaults_sockets(server *srv, plugin_data *p)
plugin_config_socket conf;
memcpy(&conf, &defaults, sizeof(conf));
/*(preserve prior behavior; not inherited)*/
/*(forcing inheritance might break existing configs where SSL is enabled
* by default in the global scope, but not $SERVER["socket"]=="*:80") */
conf.ssl_enabled = 0;
config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
/* ignore ssl.pemfile (k_id=6); included to process global scope */

@ -2541,12 +2541,6 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
plugin_config_socket conf;
memcpy(&conf, &defaults, sizeof(conf));
/*(preserve prior behavior; not inherited)*/
/*(forcing inheritance might break existing configs where SSL is enabled
* by default in the global scope, but not $SERVER["socket"]=="*:80") */
conf.ssl_enabled = 0;
config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
/* ignore ssl.pemfile (k_id=6); included to process global scope */

@ -2323,12 +2323,6 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
plugin_config_socket conf;
memcpy(&conf, &defaults, sizeof(conf));
/*(preserve prior behavior; not inherited)*/
/*(forcing inheritance might break existing configs where SSL is enabled
* by default in the global scope, but not $SERVER["socket"]=="*:80") */
conf.ssl_enabled = 0;
config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
/* ignore ssl.pemfile (k_id=6); included to process global scope */

Loading…
Cancel
Save