use ldap_set_rebind_proc() to provide auth when rebinding following
ldap referrals (instead of rebinding anonymously for ldap referrals)
x-ref:
"LDAP authentication vs. AD: problems with referrals"
https://redmine.lighttpd.net/issues/2846
elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled
x-ref:
"Using X25519 Key exchange"
https://redmine.lighttpd.net/issues/2833
"SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
https://github.com/openssl/openssl/issues/1437
It has been removed from OpenSSL 1.1.0.
Here is the relevant CHANGES entry:
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
exclude it using the list of supported ciphers. This also means
that the "-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]
discard from socket using recv MSG_TRUNC on Linux TCP SOCK_STREAM socket
Currently, lighttpd supports only TCP SOCK_STREAM. If UDP SOCK_DGRAM
were to be supported in the future, then socket type will need to be
stored so that MSG_TRUNC is used appropriately for the desired effect.
To find out socket type on arbitrary socket fd:
getsockopt(..., SOL_SOCKET, SO_TYPE, ...)
but better to store it with each listening socket.
When backend returns an invalid response header which is exactly a
blank line (\n or \r\n), adjust the offset so as not to discard the
first character following, which is probably intended to be the
beginning of the response body.
(similar to Apache mod_ssl SSLOpenSSLConfCmd directive)
(experimental)
This new directive is for use with OpenSSL only, and is not currently
available in LibreSSL.
https://wiki.openssl.org/index.php/Manual:SSL_CONF_cmd(3)
lighttpd takes "file commands" not "command line commands" as
openssl SSL_CONF_cmd() appears to permit only one mode at a time.
lighttpd processes this directive after all other ssl.* directives
have been applied for the $SERVER["socket"] scope.
x-ref:
"Option to disable TLS session tickets"
https://redmine.lighttpd.net/issues/2758
"Allow to selectively disable TLS 1.0, 1.1 and 1.2 versions"
https://github.com/lighttpd/lighttpd1.4/pull/84
github: closes #84
error if ssl.engine in wrong section of config.
ssl.engine is valid only in global scope or $SERVER["socket"] condition
x-ref:
"HTTPS requests timeout when cert not set for socket"
https://redmine.lighttpd.net/issues/2837
allow sendfile() in cross-compile if sys/sendfile.h header detected
and sendfile() symbol detected (e.g. in libc)
If sendfile() is present but always returns ENOSYS, lighttpd will
be slightly less efficient, but will fall back to writev() or write()
User should explicitly set server.network-backend = "writev" in
lighttpd.conf on systems with broken sendfile()
x-ref:
"Remove check for broken sendfile implementations"
https://redmine.lighttpd.net/issues/2836
fix implicit wildcard IPv4 and IPv6 listening (regression in 1.4.46)
(broken in commit:5248b46c)
workaround (without this patch): server.set-v6only = "disable"
(which may produce a warning when lighttpd parses config)
x-ref:
https://redmine.lighttpd.net/boards/2/topics/7720
Glenn Strauss
Stefan Bühler