Hi, On Thu, 14 Nov 2013 12:48:04 +0100 Roland Koebler <r.koeb...@yahoo.de> wrote:
> Hmm, here it *is* completely broken. I've attached a minimized > config-file. If the "$HTTP"-section or the "ssl.ca-file"-line is > removed, I can connect to lighttpd with SSL again; but if they are > there, no SSL-connections are possible. let me just quote the config for reference: $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/private/mycert.pem" ssl.ca-file = "/etc/ssl/private/mycert.ca" } $HTTP["host"] =~ "^(www\.)?example.com" { ssl.pemfile = "/etc/ssl/private/mycert2.pem" ssl.ca-file = "/etc/ssl/private/mycert2.ca" } and from http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt >> Each SSL_CTX also gets loaded with all values for >> ssl.ca-file from all blocks in the config. As only new openssl versions have X509_STORE and the api still looks incomplete / broken, the ssl.ca-file certificates need to be preloaded into all SSL_CTX (previously we had a SSL_CTX for each SNI host, but that didn't work well - that was the basic problem behind the security bug); if X509_STORE would work i could set it dynamically like the pem file. My guess is that the two private CAs you configured have a name (Issuer/Subject) conflict; in that case openssl probably can't figure out which one to use. Can you confirm this? This should probably be mentioned in debian/NEWS. regards, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org