Hi,
On Thu, 14 Nov 2013 12:48:04 +0100
Roland Koebler <r.koeb...@yahoo.de> wrote:
> Hmm, here it *is* completely broken. I've attached a minimized
> config-file. If the "$HTTP"-section or the "ssl.ca-file"-line is
> removed, I can connect to lighttpd with SSL again; but if they are
> there, no SSL-connections are possible.
let me just quote the config for reference:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/mycert.pem"
ssl.ca-file = "/etc/ssl/private/mycert.ca"
}
$HTTP["host"] =~ "^(www\.)?example.com" {
ssl.pemfile = "/etc/ssl/private/mycert2.pem"
ssl.ca-file = "/etc/ssl/private/mycert2.ca"
}
and from
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
>> Each SSL_CTX also gets loaded with all values for
>> ssl.ca-file from all blocks in the config.
As only new openssl versions have X509_STORE and the api still looks
incomplete / broken, the ssl.ca-file certificates need to be preloaded
into all SSL_CTX (previously we had a SSL_CTX for each SNI host, but
that didn't work well - that was the basic problem behind the security
bug); if X509_STORE would work i could set it dynamically like the
pem file.
My guess is that the two private CAs you configured have a name
(Issuer/Subject) conflict; in that case openssl probably can't figure
out which one to use.
Can you confirm this?
This should probably be mentioned in debian/NEWS.
regards,
Stefan
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
