[TLS] inherit ssl.engine from global scope

Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions.  When ssl.engine = "enable" in lighttpd.conf
global scope, the missing reset in network.c required non-TLS ports
(e.g. $SERVER["socket"] == ":80") to contain ssl.engine = "disable"
in order for requests to those ports to be served rather than erroring.

(This error was discovered during collaboration with jens-maus in
 https://github.com/jens-maus/RaspberryMatic/pull/1847)

There have been zero other instances of this error reported since the
release of lighttpd 1.4.56 in Nov 2020.

Therefore, having ssl.engine = "enable" inherited from the global scope
is unlikely to have any widespread impact in practice, and enabling
ssl.engine = "enable" (along with TLS certificate configuration) is now
recommended as default.  When ssl.engine = "enable" in the global scope,
ssl.engine = "disable" should be specified in those $SERVER["socket"]
conditions where clear-text is desired.

1 files changed, 0 insertions, 6 deletions

diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
index 45078db4..4c787da2 100644
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@@ -1667,12 +1667,6 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
 
         plugin_config_socket conf;
         memcpy(&conf, &defaults, sizeof(conf));
-
-        /*(preserve prior behavior; not inherited)*/
-        /*(forcing inheritance might break existing configs where SSL is enabled
-         * by default in the global scope, but not $SERVER["socket"]=="*:80") */
-        conf.ssl_enabled = 0;
-
         config_plugin_value_t *cpv = ps->cvlist + ps->cvlist[i].v.u2[0];
         for (; -1 != cpv->k_id; ++cpv) {
             /* ignore ssl.pemfile (k_id=6); included to process global scope */