Bug 577546 - Updated openssl package breaks lighttpd running SSL because of upstream bug #2157
Summary: Updated openssl package breaks lighttpd running SSL because of upstream bug #...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: lighttpd
Version: el5
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-27 23:11 UTC by Wouter de Jong
Modified: 2010-09-20 08:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-20 08:40:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Wouter de Jong 2010-03-27 23:11:01 UTC
Description of problem:
The updated openssl-0.9.8e-12.el5_4.6 package breaks lighttpd SSL because of upstream bug #2157

Version-Release number of selected component (if applicable):
lighttpd-1.4.22-2.el5

How reproducible:

install lighttpd-1.4.22-2.el5 & openssl-0.9.8e-12.el5_4.6
Enable SSL in lighttpd.conf :

ssl.engine = "enabled"
ssl.pemfile = "/etc/pki/tls/certs/lighttpd.pem"
  
Actual results:
# service lighttpd start
Starting lighttpd: 2010-03-28 00:04:43: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
                                                           [FAILED]



Expected results:
# service lighttpd start
Starting lighttpd:                                         [  OK  ]


Additional info:
Upstream bug#2157 @ http://redmine.lighttpd.net/issues/2157
Fixed upstream in r2716 @ http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716

Rebuild SRPM with the above patch, and it works.

Comment 1 Ralf Ertzinger 2010-03-30 18:00:49 UTC
Workaround:

set
ssl.use-sslv2 = "enable"

in the appropriate places in the config. This will enable SSLv2, but you can prevent actual working SSLv2 negotiation by massaging the cipher list, for example like this:

ssl.cipher-list = "TLSv1+HIGH RC4+MEDIUM !SSLv2 !3DES !aNULL @STRENGTH"

Comment 2 David Anderson 2010-04-01 08:44:01 UTC
I got bitten by this too. Thanks for the work-around.

Comment 3 Matthias Saou 2010-04-29 11:32:08 UTC
I've rebuilt 1.4.26 with the fix, it should appear in EPEL testing soon. I've updated on many production servers and it's been working fine for me so far.

Comment 4 Till Maas 2010-05-10 16:08:34 UTC
lighttpd  0:1.4.26-2.el5 fixed this bug for me

Comment 5 Wouter de Jong 2010-05-14 10:34:20 UTC
Indeed fixed, thank you :)

Comment 6 Mark Chappell 2010-09-20 08:40:23 UTC
lighttpd-1.4.26-2.el5 is now in the main EPEL repos, since Wouter de Jong reports this version as having fixed his problem I'm closing the ticket off.


Note You need to log in before you can comment on or make changes to this bug.