Talk:Lighttpd
FastCGI
Isn't it true that fastcgi is already a stand-alone lighttpd module? Why do you need to install it with pacman? I just removed it and everything kept working. —This unsigned comment is by Chronozphere (talk) 23:09, 23 October 2012 (UTC). Please sign your posts with ~~~~!
- As explained at https://bbs.archlinux.org/viewtopic.php?id=189753 I suppose CGI should be configured, before running FCGI. Costis (talk) 01:49, 12 November 2014 (UTC)
- That section of the wiki may be incorrect. Ichimonji10 (talk) 22:21, 12 November 2014 (UTC)
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")
See https://redmine.lighttpd.net/issues/2912
Lighttpd is enabled ssl.disable-client-renegotiation by default to mitigate CVE-2009-3555.
On the other hand, TLS 1.3 has banned version renegotiation. See RFC8446.
Because TLS 1.3 forbids renegotiation, if a server has negotiated TLS 1.3 and receives a ClientHello at any other time, it MUST terminate the connection with an "unexpected_message" alert.
If a server established a TLS connection with a previous version of TLS and receives a TLS 1.3 ClientHello in a renegotiation, it MUST retain the previous protocol version. In particular, it MUST NOT negotiate TLS 1.3.
But Lighttpd 1.4.51 does not support it fully yet. Version renegotiation detection logic in Lighttpd can't apply TLS 1.3. So some browsers such as Firefox cannot connect to Lighttpd correctly.
Explicit negotiating over TLS 1.2 avoids this issue.
ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")
"ssl.disable-client-renegotiation = no" can also avoid this issue, but it will make the security risk CVE-2009-3555.
This bug will be fixed in future versions of Lighttpd.
—This unsigned comment is by Wjn (talk) 18:33, 28 October 2018 (UTC). Please sign your posts with ~~~~!