Bug 577546

Summary: Updated openssl package breaks lighttpd running SSL because of upstream bug #2157
Product: [Fedora] Fedora EPEL Reporter: Wouter de Jong <wouter>
Component: lighttpdAssignee: Matthias Saou <matthias>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: el5CC: fedora-packaging, matthias, opensource, redhat-bugzilla, tremble
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-20 08:40:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Wouter de Jong 2010-03-27 23:11:01 UTC
Description of problem:
The updated openssl-0.9.8e-12.el5_4.6 package breaks lighttpd SSL because of upstream bug #2157

Version-Release number of selected component (if applicable):
lighttpd-1.4.22-2.el5

How reproducible:

install lighttpd-1.4.22-2.el5 & openssl-0.9.8e-12.el5_4.6
Enable SSL in lighttpd.conf :

ssl.engine = "enabled"
ssl.pemfile = "/etc/pki/tls/certs/lighttpd.pem"
  
Actual results:
# service lighttpd start
Starting lighttpd: 2010-03-28 00:04:43: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
                                                           [FAILED]



Expected results:
# service lighttpd start
Starting lighttpd:                                         [  OK  ]


Additional info:
Upstream bug#2157 @ http://redmine.lighttpd.net/issues/2157
Fixed upstream in r2716 @ http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716

Rebuild SRPM with the above patch, and it works.

Comment 1 Ralf Ertzinger 2010-03-30 18:00:49 UTC
Workaround:

set
ssl.use-sslv2 = "enable"

in the appropriate places in the config. This will enable SSLv2, but you can prevent actual working SSLv2 negotiation by massaging the cipher list, for example like this:

ssl.cipher-list = "TLSv1+HIGH RC4+MEDIUM !SSLv2 !3DES !aNULL @STRENGTH"

Comment 2 David Anderson 2010-04-01 08:44:01 UTC
I got bitten by this too. Thanks for the work-around.

Comment 3 Matthias Saou 2010-04-29 11:32:08 UTC
I've rebuilt 1.4.26 with the fix, it should appear in EPEL testing soon. I've updated on many production servers and it's been working fine for me so far.

Comment 4 Till Maas 2010-05-10 16:08:34 UTC
lighttpd  0:1.4.26-2.el5 fixed this bug for me

Comment 5 Wouter de Jong 2010-05-14 10:34:20 UTC
Indeed fixed, thank you :)

Comment 6 Mark Chappell 2010-09-20 08:40:23 UTC
lighttpd-1.4.26-2.el5 is now in the main EPEL repos, since Wouter de Jong reports this version as having fixed his problem I'm closing the ticket off.