Talk:Lighttpd

From ArchWiki
Jump to: navigation, search

FastCGI

Isn't it true that fastcgi is already a stand-alone lighttpd module? Why do you need to install it with pacman? I just removed it and everything kept working.

As explained at https://bbs.archlinux.org/viewtopic.php?id=189753 I suppose CGI should be configured, before running FCGI. Costis (talk) 01:49, 12 November 2014 (UTC)
That section of the wiki may be incorrect. Ichimonji10 (talk) 22:21, 12 November 2014 (UTC)

ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")

See https://redmine.lighttpd.net/issues/2912

Lighttpd is enabled ssl.disable-client-renegotiation by default to mitigate CVE-2009-3555.

On the other hand, TLS 1.3 has banned version renegotiation. See RFC8446.

  Because TLS 1.3 forbids renegotiation, if a server has negotiated
  TLS 1.3 and receives a ClientHello at any other time, it MUST
  terminate the connection with an "unexpected_message" alert.
  If a server established a TLS connection with a previous version of
  TLS and receives a TLS 1.3 ClientHello in a renegotiation, it MUST
  retain the previous protocol version.  In particular, it MUST NOT
  negotiate TLS 1.3.

But Lighttpd 1.4.51 does not support it fully yet. Version renegotiation detection logic in Lighttpd can't apply TLS 1.3. So some browsers such as Firefox cannot connect to Lighttpd correctly.

Explicit negotiating over TLS 1.2 avoids this issue.

ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")

"ssl.disable-client-renegotiation = no" can also avoid this issue, but it will make the security risk CVE-2009-3555.

This bug will be fixed in future versions of Lighttpd.