March 13, 2024

Important changes

  • incrementally stronger TLS cipher defaults; bugs fixes


Behavior Changes: (previously announced)

  • TLS cipher defaults have been incrementally updated to stronger defaults New defaults are forward-secret and support authenticated encryption (AEAD) New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
  • mod_redirect: default url.redirect-code for HTTP/1.1 and later has been changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

    Changes from 1.4.74

  • [mod_redirect] url.redirect-code = 308 new default
  • [ls-hpack] more portability fixes for sys/queue.h
  • [ls-hpack] update version to 2.3.3
  • [TLS] default to stronger ciphers w/ PFS and AEAD
  • [ci] apt-get install build-essential on Ubuntu
  • [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
  • [mod_authn_sasl] translate SASL_LOG_* to syslog
  • [build] include src/compat/sys/queue.h in tarball
  • [core] fdlog_openlog(), fdlog_closelog()
  • [mod_accesslog] fdlog_openlog() if using syslog
  • [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
  • [ci] limit github ci to specific branches
  • [ci] prefer non-login shell for Cygwin CI build
  • [ci] prefer dash for Cygwin and MSYS2 builds
  • [mod_wstunnel] fix server.ping-interval w/ HTTP/2
  • [mod_dirlisting] fix suffix display of ‘/’ on file (fixes #3242)
  • [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
  • [mod_openssl] faster ASN1_TIME parse
  • [mod_wolfssl] faster ASN1_TIME parse
  • [doc] update TLS comment in sample lighttpd.conf