diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-05-30 18:57:19 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-06-04 13:45:47 -0400 |
commit | 833f6aa4c04bbc1572623a6d0f081db1c8e8c3c9 (patch) | |
tree | 839088e02d41338867b5e265cdae36a4e882f7d2 /src/mod_mbedtls.c | |
parent | da8025fb3075397a2c3edea08cdc5b8c5a624896 (diff) | |
download | lighttpd-git-833f6aa4c04bbc1572623a6d0f081db1c8e8c3c9.tar.gz |
[TLS] inherit ssl.engine from global scope
Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions. When ssl.engine = "enable" in lighttpd.conf
global scope, the missing reset in network.c required non-TLS ports
(e.g. $SERVER["socket"] == ":80") to contain ssl.engine = "disable"
in order for requests to those ports to be served rather than erroring.
(This error was discovered during collaboration with jens-maus in
https://github.com/jens-maus/RaspberryMatic/pull/1847)
There have been zero other instances of this error reported since the
release of lighttpd 1.4.56 in Nov 2020.
Therefore, having ssl.engine = "enable" inherited from the global scope
is unlikely to have any widespread impact in practice, and enabling
ssl.engine = "enable" (along with TLS certificate configuration) is now
recommended as default. When ssl.engine = "enable" in the global scope,
ssl.engine = "disable" should be specified in those $SERVER["socket"]
conditions where clear-text is desired.
Diffstat (limited to 'src/mod_mbedtls.c')
-rw-r--r-- | src/mod_mbedtls.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 45078db4..4c787da2 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -1667,12 +1667,6 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p) plugin_config_socket conf; memcpy(&conf, &defaults, sizeof(conf)); - - /*(preserve prior behavior; not inherited)*/ - /*(forcing inheritance might break existing configs where SSL is enabled - * by default in the global scope, but not $SERVER["socket"]=="*:80") */ - conf.ssl_enabled = 0; - config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0]; for (; -1 != cpv->k_id; ++cpv) { /* ignore ssl.pemfile (k_id=6); included to process global scope */ |