Cc'ing the port maintainer. Walter Haidinger <walter.haidin...@gmx.at> writes:
> Hi! > > tl;dr: fixed upstream, quick patch for 5.9/6.0 below. > > SSL support in lighttpd of OpenBSD 5.9 (1.3.36) and > OpenBSD 6.0 (1.3.38) is broken. > > Note: already fixed by upsteam in 1.4.40: > https://redmine.lighttpd.net/issues/2729 > > Details and (upstream) patch: > https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/1ca52fdce3b87f7748dd5db6f59d738ed7a9efe1/diff/src/network.c > > When running lighttpd of OpenBSD 6.0, the error message is: > (network.c.773) SSL: error:00000000:lib(0):func(0):reason(0) > > The following (crude) patch simply removes the check for SSLv2 > and SSLv3 (it's vs. OpenBSD 6.0 lighttpd-1.4.38p1.tgz): IMO it would be better to use the same diff as upstream. (flag & SSL_CTX_set_options() != flag) This code looks broken since when we disabled SSLv2 in LibreSSL. It shows how much lighty is actually used... > --- src/network.c.orig Fri Dec 4 22:13:47 2015 > +++ src/network.c Sat Sep 10 16:00:32 2016 > @@ -766,7 +766,7 @@ > > SSL_CTX_set_options(s->ssl_ctx, ssloptions); > SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); > - > +#if 0 > if (!s->ssl_use_sslv2) { > /* disable SSLv2 */ > if (!(SSL_OP_NO_SSLv2 & > SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) { > @@ -784,7 +784,7 @@ > return -1; > } > } > - > +#endif > if (!buffer_string_is_empty(s->ssl_cipher_list)) { > /* Disable support for low encryption ciphers */ > if (SSL_CTX_set_cipher_list(s->ssl_ctx, > s->ssl_cipher_list->ptr) != 1) { > > BR, > Walter > > PS: quick howto: > > The following works for OpenBSD 6.0 (tested i386), see > https://www.openbsd.org/faq/faq15.html#PortsInstall > for more information on building from ports. > > save patch as: > /usr/ports/www/lighttpd/patches/patch-src_network_c > > cd /usr/ports/www/lighttpd > make > make install > make clean > /etc/rc.d/lighttpd start > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
