| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
workaround fragile code in wolfssl/wolfcrypto/types.h
Including header blows up compile in 32-bit when lighttpd meson build
in OpenWRT on a 32-bit platform generates lighttpd config.h containing
define of SIZEOF_LONG, but not SIZEOF_LONG_LONG, and the wolfssl types.h
flubs and fails to choose an enum value used by a macro that is unused
by most consumers of the wolfssl header.
|
|
|
|
|
|
|
|
|
| |
disabled by default, but can be enabled
(session tickets should be preferred)
applies to mod_openssl, mod_wolfssl, mod_nss
session cache is not currently implemented in mod_mbedtls or mod_gnutls
|
|
|
|
| |
wrap additional code in preprocessor defines to check if enabled in lib
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)
If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.
As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
(thx dirk)
|
|
|
|
|
|
| |
(thx dirk)
nss/alghmac.h might not exist
|
|
|
|
|
|
|
|
| |
need to build wolfSSL library with --enable-alpn for ALPN
even if already building wolfSSL library with --enable-openssall
(sigh)
ALPN is required by the HTTP/2 specification
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
crippled functionality if wolfssl library not built --enable-opensslall
* SNI not handled since SNI callbacks are disabled in wolfSSL library
unless the wolfSSL library is built with --enable-openssall
This means that there is only one certificate per listening socket --
no certificate selection based on server name indication (SNI)
and is additionally a violation of the HTTP/2 specification,
which requires SNI.
slightly reduced functionality if wolfssl not built --enable-opensslall
* disable client certificate verification (error out if in lighttpd.conf)
* omit SSL_CIPHER_USEKEYSIZE, SSL_CIPHER_ALGKEYSIZE env vars
|
| |
|
| |
|
|
|
|
|
| |
(lighttpd base executable depends on crypto lib for rand functionality,
so the crypto library was already being loaded -- no missing symbols)
|
|
|
|
| |
OpenBSD crypt() does not support (insecure) crypt-des or crypt-md5
|
|
|
|
| |
(thx brad)
|
| |
|
|
|
|
| |
(thx stbuehler)
|
|
|
|
| |
(thx stbuehler)
|
|
|
|
|
|
|
|
|
| |
(thx avij)
must update the cached copy of global scope config after cycling log.
Although (accesslog_st *) is modified in-place, the log_access_fd member
of (accesslog_st *) is copied into the cache and must be updated after
cycling logs in the global scope.
|
| |
|
| |
|
|
|
|
|
| |
NetBSD dirent.h improperly hides fdopendir() (POSIX.1-2008) declaration
which should be visible w/ _XOPEN_SOURCE 700 or _POSIX_C_SOURCE 200809L
|
|
|
|
|
|
|
|
| |
Use more portable shell function definition, better supported by /bin/sh
Some /bin/sh, e.g. dash, do not support trap on ERR,
so that will issue some trace and will not trigger on ERR,
but the rest of the script runs fine.
|
| |
|
|
|
|
|
| |
some distro packages deploy NSS includes under nss/, others nss3/
(and similar for nspr/ vs nspr4/)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
basic algorithms fail if NSS library has not been init'd (WTH)
lighttpd defers initialization of rand and crypto until first use
to attempt to avoid long, blocking init at startup while waiting
for sufficient system entropy to become available
|
|
|
|
| |
(bug on master branch; never released)
|
|
|
|
|
| |
use inline funcs in sys-crypto-md.h for consistency
and to avoid compiler warnings when result is ignored
|
| |
|
|
|
|
|
|
| |
(bug on master branch; never released)
fix fd sharing in chunkqueue_steal_partial_file_chunk()
|
| |
|
|
|
|
|
|
|
|
|
| |
The code originates from https://github.com/litespeedtech/ls-hpack
and is explicitly documented as not needing to be initialized.
x-ref:
https://github.com/litespeedtech/ls-hpack/commit/634c69215f8646653bb4cb5cf448fb943008529f
https://github.com/litespeedtech/ls-hpack/commit/d92883ca10f458b76168eee980f2ccb776917ad3
|
| |
|
|
|
|
| |
always lseek() with shared fd; remove optim to skip with offset = 0
|
|
|
|
|
|
|
| |
use http_chunk_append_file_ref() and http_chunk_append_file_ref_range()
reduce resource usage (number of fds open) by reference counting open
fds to files served, and sharing the fd among FILE_CHUNKs in responses
|
|
|
|
|
| |
http_chunk_append_file_ref() and http_chunk_append_file_ref_range()
to take stat_cache_entry ref and append FILE_CHUNK
|
| |
|
|
|
|
|
|
| |
future: should probably create fd cache separate from stat_cache,
perhaps along w/ http-specific fields like etag and content_type
and maybe even mmap
|
|
|
|
|
| |
use large chunks since server blocks while compressing, anyway
(mod_deflate is not recommended for large files)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
minimize pause during graceful restart for server.max-worker = 0 case
The previous generation continues to accept new connections until the
restarted parent signals that the restarted server is ready to accept
new connections, and so the previous server should gracefully shutdown.
This does not apply in the case of multiple workers.
When there are multiple workers, they receive SIGINT to gracefully shut
down and stop accepting new connections. While the listen sockets are
kept open (and not closed and reopened), there is a small pause while
the parent process restarts before it begins accepting new connections
from the listen backlog.
Note: there is a window during restart during which lighttpd may exit
if it receives certain signals before it sets up signal handlers.
future: might block signals (sigprocmask()) during restart, but if that
is done, then care must be taken to unblock signals in restarted server
as soon as signal handlers are set up and before any other children are
created, e.g. by modules, or else signals must be explicitly unblocked
in children. Also, during command line and config file processing,
signals would be blocked, too, which might not be ideal.
|
| |
|
|
|
|
| |
replace X509_STORE_load_locations() with X509_STORE_load_file()
|
|
|
|
|
|
| |
update defaults after worker_init for config options in global scope
(bug on master branch; never released)
|