Hi, On Wed, 13 Nov 2013 13:51:30 +0100 gator...@yahoo.de wrote:
> Package: lighttpd > Version: 1.4.31-4+deb7u1 > Severity: important > > I am running a webserver that only offers https and normally requires > client certificates. When I install the security upgrade > 1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep > hitting reload in a client, it works 5-10 times) no more connections > with client certificates succeed. > > Firefox reports "connection was interrupted", chrome > ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages > saying: (connections.c.305) SSL: 1 error:140D9115:SSL > routines:SSL_GET_PREV_SESSION:session id context uninitialized > > "regualar" https-Connections (w/o client certificate) continue to > work. After restarting lighttpd, everything works again for a little > while, then trouble starts again. > > With lighttpd 1.4.31-4 everything works fine; this problem definitely > has been introduced with the security patches for 1.4.31-4+deb7u1. > Damn. Previously we called SSL_CTX_set_session_id_context and set some internal as pointer, but only if the context was for enabled "verify-peer". As we now enable "verify-peer" for a connection on the fly, this part was removed from the code. After all, why would it be necessary to set a context only if we had to verify peers? (Also setting an internal pointer felt wrong) Turns out, that is exactly what openssl wants, without any good reason: (quoting ssl_sess.c:~564) /* We can't be sure if this session is being used out of * context, which is especially important for SSL_VERIFY_PEER. * The application should have used SSL[_CTX]_set_session_id_context. * * For this error case, we generate an error instead of treating * the event like a cache miss (otherwise it would be easy for * applications to effectively disable the session cache by * accident without anyone noticing). */ I don't think I'll ever use openssl in any software again... As I'm not sure yet what the context should actually be (setting an internal pointer is definitely wrong, setting a string like "lighttpd" might work), I don't have a patch ready yet. Thanks for reporting! regards, Stefan (upstream maintainer) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
