Skip to content

lighty developer blog

PRE-RELEASE: lighttpd 1.4.33rc1-r2901

We would like to draw your attention to the latest pre-release of the stable 1.4 branch of lighttpd.

You can get the pre-release from these urls:

Please test it as much as possible and provide us with feedback.\ A lot of testing ensures a good release.

Mitigating BEAST attack on TLS with GnuTLS

In our lighttpd 2 development branch we use modules to implement SSL support; this allows us to support different ssl libraries, and today I want to talk about mod_gnutls.

SSL/TLS had some trouble. On the one hand there is the BEAST attack, which recommends using RC4 for SSL3.0 and TLS1.0 connections and on the other hand RC4 in TLS is broken.

So while some clients may support TLS1.1 or even TLS1.2, you still have to support RC4 for those which don’t, but you also don’t want to allow RC4 for clients that support TLS1.1 or TLS1.2. Most server configurations can’t handle that - but mod_gnutls can, using a nice hook function1 in GnuTLS (PolarSSL supports this directly too, and Hiawatha is using it).

Basically it will just append ":-CIPHER-ALL:+ARCFOUR-128" to your priority string (similar to ciphers in OpenSSL) if the connection uses TLS1.0 or SSL3.0.

I recommend "NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:%SERVER_PRECEDENCE" as priority string for GnuTLS in lighttpd2, and mod_gnutls will fix BEAST for you:

  • SSL3.0 is disabled - all clients should at least support TLS1.0 now
  • -SHA1:-MD5:+SHA1 reorders the ciphers so that SHA1 comes later and removes MD5 ciphers (there is only one supported MD5 cipher: TLS_RSA_ARCFOUR_MD5)
  • -CIPHER-ALL:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC selects the 3 ciphers we’d like to support. You could also add 128-bit ciphers if you want: :+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC.
  • %SERVER_PRECEDENCE tells the GnuTLS server to reorder the ciphers to its own preference.
  • You could add “:-RSA” to force DHE/ECDHE key exchanges which should provide perfect forward secrecy.

The recommended priority string should result in the following cipher list:

TLS_ECDHE_ECDSA_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_AES_256_CBC_SHA1
TLS_ECDHE_RSA_AES_256_GCM_SHA384
TLS_ECDHE_RSA_AES_256_CBC_SHA1
TLS_DHE_RSA_AES_256_CBC_SHA256
TLS_DHE_RSA_AES_256_CBC_SHA1
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1
TLS_DHE_DSS_AES_256_CBC_SHA256
TLS_DHE_DSS_AES_256_CBC_SHA1
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1
TLS_RSA_AES_256_CBC_SHA256
TLS_RSA_AES_256_CBC_SHA1
TLS_RSA_CAMELLIA_256_CBC_SHA1

For TLS1.0 it will use this instead (SSL3.0 is disabled):

TLS_DHE_DSS_ARCFOUR_SHA1
TLS_RSA_ARCFOUR_SHA1

With a standard RSA key it will use the following ciphers (update: we now support DHE):

TLS_ECDHE_RSA_AES_256_GCM_SHA384
TLS_ECDHE_RSA_AES_256_CBC_SHA1
TLS_DHE_RSA_AES_256_CBC_SHA256
TLS_DHE_RSA_AES_256_CBC_SHA1
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1
TLS_RSA_AES_256_CBC_SHA256
TLS_RSA_AES_256_CBC_SHA1
TLS_RSA_CAMELLIA_256_CBC_SHA1

and for TLS1.0:

TLS_RSA_ARCFOUR_SHA1

lighttpd 2 config example:

setup {
    module_load "mod_gnutls";
    gnutls [
        "priority" => "NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:%SERVER_PRECEDENCE",
        "listen" => "0.0.0.0:443",
        "pemfile" => "/ssl/certs/lighttpd_server.pem"
    ];
}

Now you can test your server (needs a recent enough version of GnuTLS that at least includes support for TLS1.1, tested with gnutls 3.0.22):

gnutls-cli --priority="NORMAL:-CIPHER-ALL:+ARCFOUR-128" example.com
gnutls-cli --priority="NORMAL:-CIPHER-ALL:+ARCFOUR-128:-VERS-TLS-ALL:+VERS-TLS1.0" example.com
gnutls-cli --priority="NORMAL:-ARCFOUR-128:-VERS-TLS-ALL:+VERS-TLS1.0" example.com

The first one should fail; GnuTLS should use TLS1.2 to connect, and RC4 won’t be available. The second command should work - it should use TLS1.0 to connect, and only RC4 should be available, and that is why the third one should fail again.

Qualys SSL Labs Server Test should detect this setup, it will show the "SSL_RSA_WITH_RC4_128_MD5" under “Suites used only for BEAST mitigation (TLS 1.0 and earlier)”.

  1. gnutls_handshake_set_post_client_hello_function 

PRE-RELEASE: lighttpd 1.4.27rc2-r2758

We would like to draw your attention to the latest pre-release of the stable 1.4 branch of lighttpd.

You can get the pre-release from these urls:
https://download.lighttpd.net/lighttpd/snapshots-1.4.x/lighttpd-1.4.27rc2-r2758.tar.gz
https://download.lighttpd.net/lighttpd/snapshots-1.4.x/lighttpd-1.4.27rc2-r2758.tar.bz2
SHA1 checksums:
https://download.lighttpd.net/lighttpd/snapshots-1.4.x/lighttpd-1.4.27rc2-r2758.sha1sum

Please test it as much as possible and provide us with feedback.
A lot of testing ensures a good release.

New changes since rc1:

We fixed a race condition with mod_cgi responses; and a similar problem in mod_proxy (forward response as soon at it is available).

There is a new fdevent handler “libev”; “linux-rtsig” got removed. The “libev” handler should support solaris ports, so it might be especially interesting on solaris.

And the last commit changes a small bit how we handle IPv6; we now disable the “dual-stack” IPv6 sockets in almost all cases, see IPv6-Config for details.

Changes already in rc1:

The most important change is the SSL_CTX_set_options fix, as lighttpd\ doesn’t start without it if you use a recent ssl library; most distributions included it with 1.4.26 for a while now.

We hope to have fixed some problems with mod_proxy and we really hope TLS SNI works now, and lighty doesn’t use the wrong certs anymore; it would be nice if you could test this :)

We fixed a segfault in mod_compress; if you disable etags, mod_compress won’t try to cache on disk anymore (and doesn’t set etag).

If no showstoppers are encountered, there will be a final release soon.