And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test

Important changes

  • [mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
  • ssl: disable client initiated renegotiations
  • ssl: support mitigating BEAST attack
  • fix connection stalls


In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on
Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on


July 03, 2011

Important changes

  • solve name conflict of md5 functions with OpenSSL lib
  • mod_proxy, mod_cgi and other mod_*cgi fixes
  • ssl improvements
  • Native solaris ports fdevent handler “solaris-eventports”



August 22, 2010

1.4.27 introduced some serious bugs in our fdevent system; one resulted in segfaults with FreeBSD;
this should be fixed now.