Bug#729480: marked as done (SSL connections with client certificates no longer working)

[Debian Bug Tracking System]

Your message dated Thu, 05 Dec 2013 21:17:19 +0000
with message-id <e1vogir-0004yv...@franck.debian.org>
and subject line Bug#729480: fixed in lighttpd 1.4.31-4+deb7u2
has caused the Debian Bug report #729480,
regarding SSL connections with client certificates no longer working
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
729480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: lighttpd
Version: 1.4.31-4+deb7u1
Severity: important

I am running a webserver that only offers https and normally requires
client certificates. When I install the security upgrade
1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep
hitting reload in a client, it works 5-10 times) no more connections
with client certificates succeed.

Firefox reports "connection was interrupted", chrome
ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages saying:
 (connections.c.305) SSL: 1 error:140D9115:SSL 
 routines:SSL_GET_PREV_SESSION:session id context uninitialized

"regualar" https-Connections (w/o client certificate) continue to
work. After restarting lighttpd, everything works again for a little
while, then trouble starts again.

With lighttpd 1.4.31-4 everything works fine; this problem definitely
has been introduced with the security patches for 1.4.31-4+deb7u1.

--- End Message ---

--- Begin Message ---

Source: lighttpd
Source-Version: 1.4.31-4+deb7u2

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Nov 2013 10:55:41 +0100
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost 
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet 
lighttpd-mod-webdav
Architecture: source i386 all
Version: 1.4.31-4+deb7u2
Distribution: stable-security
Urgency: high
Maintainer: Debian lighttpd maintainers 
<pkg-lighttpd-maintain...@lists.alioth.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description: 
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 729480 729555
Changes: 
 lighttpd (1.4.31-4+deb7u2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression introduced by fix for cve-2013-4508, related to client
     certificates and SNI. Closes: #729555, #729480
Checksums-Sha1: 
 21937c02aad20e15b6b3462ca57f5d8745b73a85 2040 lighttpd_1.4.31-4+deb7u2.dsc
 11616c7aa7de721a07c316010aa970c4d19b6a8a 33310 
lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 38d6f15e2fc94a259122c1ba0eefd15a6aa9bbe0 297994 
lighttpd_1.4.31-4+deb7u2_i386.deb
 202ec8cd938af46615c08249fb39747cd217fe82 64468 
lighttpd-doc_1.4.31-4+deb7u2_all.deb
 77908b959660c3b28acc3f2c229417bd6df2b816 20104 
lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 bd7d20489b87af5045f02030699264f3434d9c13 21564 
lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 d6f02a954d0ae79cd79a69ab4c05c659eb6cd57a 25468 
lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 3aa8f1f807064b717417d1adbb7941b1252cdd17 26434 
lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 bd3dbc06b1f27a6a733d055be8b8e3088dcfaffd 32694 
lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb
Checksums-Sha256: 
 e045f7869412025e4f0d94055ee7048ab103524819cf13da9e9b462b4eb9fbd5 2040 
lighttpd_1.4.31-4+deb7u2.dsc
 d225e7f634fa80374b4610e134c767d911dac77da4b3556b84b603d0e938a4d9 33310 
lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 171c3d2849ff1b3a05f385c84f45d5f1d0aa570f0abbeff6365956376a885453 297994 
lighttpd_1.4.31-4+deb7u2_i386.deb
 56f36c5831c4e5723f3d2f141d4eb58c44a4e0452d174e9d682820b9cc32a2a3 64468 
lighttpd-doc_1.4.31-4+deb7u2_all.deb
 172ddc03da23b745002f274844518e1a5bf295067a8ee61c301942265d84aa27 20104 
lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 c177bf3ce4251f5ea5dacbdf86fff90b73d81aa309edfa524cef79437a2c47d1 21564 
lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 247d664c5ec9185c0bfe001c13b69f147fd6a35fde8b4ad40192e82c71611ced 25468 
lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 1320a068239840bb7a537484fc807c0f0b69f7a0776d21cab0be669a048a85fa 26434 
lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 8754bcccaeaca96ec7b5c31c59e15c21e27fd1c86bb4fd659fdb89d136e3503c 32694 
lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb
Files: 
 a8323e59728abfab9aada0e14550e16f 2040 httpd optional 
lighttpd_1.4.31-4+deb7u2.dsc
 961b3e3f674d7cacfafe8c6fe5fd4fed 33310 httpd optional 
lighttpd_1.4.31-4+deb7u2.debian.tar.gz
 5bd7eeed328a17f48f53a5196cf4f13a 297994 httpd optional 
lighttpd_1.4.31-4+deb7u2_i386.deb
 aaea994808cc5434c83b664c16606345 64468 doc optional 
lighttpd-doc_1.4.31-4+deb7u2_all.deb
 1fff33bb6d6351323ad7dafc37871318 20104 httpd optional 
lighttpd-mod-mysql-vhost_1.4.31-4+deb7u2_i386.deb
 f037a035678193efc8b085efc2c2938d 21564 httpd optional 
lighttpd-mod-trigger-b4-dl_1.4.31-4+deb7u2_i386.deb
 182f0d21feaf3c046ca1eb70f7a3aeb5 25468 httpd optional 
lighttpd-mod-cml_1.4.31-4+deb7u2_i386.deb
 4a8b4f414b29553298e8fbfea6ccfabb 26434 httpd optional 
lighttpd-mod-magnet_1.4.31-4+deb7u2_i386.deb
 9518407cd79fbefc283d4f5ce71dc41f 32694 httpd optional 
lighttpd-mod-webdav_1.4.31-4+deb7u2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFShKLpbxelr8HyTqQRAsgAAJ9OHoHxh55UTnANLJaf0gjF49f5XACgkrBr
Iwc6oRCSjaRiNHj4PdrsegI=
=iuwe
-----END PGP SIGNATURE-----

--- End Message ---