1.4.67
September 17, 2022
Important changes
bugfixes
Future Scheduled Behavior Changes
- TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using
ssl.openssl.ssl-conf-cmd
, as long as the ciphers are supported by the underlying TLS libraries.
https://wiki.lighttpd.net/Docs_SSL- new defaults:
"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
"Options" => "-ServerPreference"
- old defaults:
"CipherString" => "HIGH"
"Options" => "ServerPreference"
- new defaults:
- Deprecated TLS options will be removed.
- ssl.honor-cipher-order
- ssl.dh-file
- ssl.ec-curve
- ssl.disable-client-renegotiation
- ssl.use-sslv2
- ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with
ssl.openssl.ssl-conf-cmd
, but prefer lighttpd defaults instead.
- Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards - Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security - Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available - Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress - Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Downloads
- lighttpd-1.4.67.tar.gz (GPG signature)
- SHA256:
de3c783a0ec3459e7e36a5ef08e13482d8640b339570dd036dfd456a6f7bb312
- SHA256:
- lighttpd-1.4.67.tar.xz (GPG signature)
- SHA256:
7e04d767f51a8d824b32e2483ef2950982920d427d1272ef4667f49d6f89f358
- SHA256:
- SHA256 checksums
- SHA512 checksums
Changes from 1.4.66
- Update comment about TCP_INFO on OpenBSD
- [mod_ajp13] fix crash with bad response headers (fixes #3170)
- [core] handle RDHUP when collecting chunked body
- [core] tweak streaming request body to backends
- [core] handle ENOSPC with pwritev() (#3171)
- [core] manually calculate off_t max (fixes #3171)
- [autoconf] force large file support (#3171)
- [multiple] quiet coverity warnings using casts
- [meson] add license keyword to project declaration