1.4.68

January 03, 2023

Important changes

  • stronger TLS defaults (as previously announced)
  • KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled
  • removal of deprecated modules

Behavior Changes (previously announced)

  • TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers.
    Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries.
    Also see https://wiki.lighttpd.net/Docs_SSL
    • new defaults:
      • "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
      • "Options" => "-ServerPreference"
    • old defaults:
      • "CipherString" => "HIGH"
      • "Options" => "ServerPreference"
  • Deprecated TLS options have been removed.
    • ssl.honor-cipher-order
    • ssl.dh-file
    • ssl.ec-curve
    • ssl.disable-client-renegotiation
    • ssl.use-sslv2
    • ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
  • Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
    Please post on lighttpd forums to share feedback if you use these modules.
    Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
  • Deprecated: mod_evasive has been removed.
    mod_evasive can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
  • Deprecated: mod_secdownload has been removed.
    mod_secdownload can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
    mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
  • Deprecated: mod_uploadprogress has been removed.
    mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
  • Deprecated: mod_usertrack has been removed. mod_usertrack can be replaced by mod_magnet and a few lines of lua:
    Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
    mod_usertrack historically uses insecure MD5.

Behavior Changes (not previously announced)

  • meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’; build scripts using -D with_example=true or =false need to change some opts
    to =enabled, =disabled, or =auto
  • mod_magnet: removed experimental lighty.r.req_attr[“response.*”] accessors (added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022)) (see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)
  • remove libev fdevent option (ignore)
    lighttpd directly uses native OS event handlers

Future Scheduled Behavior Changes

  • lighttpd 1.4.68 builds common modules into the lighttpd base executable.
    Separate dynamic modules are still built for the benefit of existing packaging scripts in various distributions, but those modules are not used.
    A future version of lighttpd will omit building separate modules for:
    mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile

Downloads

Changes from 1.4.67

  • [cmake] compile lemon with native cc for x-compile
  • [cmake] install man pages with CMake
  • [cmake] let CMake handle the version number
  • [cmake] set LIGHTTPD_VERSION_ID per version
  • [meson] set LIGHTTPD_VERSION_ID per version
  • [meson] add missing meson_version
  • [meson] use feature options
  • [meson] turn pcre into a combo option
  • [meson] simplify header checking
  • [meson] add wrapdb instructions
  • [lighttpd-angel] waitpid after HUP before restart
  • [core] use inotify_init() if missing IN_* defines
  • [core] keep sockets w/ server.graceful-restart-bg
  • [TLS] ssl.openssl.ssl-conf-cmd “DHParameters”
  • [mod_wolfssl] check for cert must_staple
  • [mod_mbedtls] config renegotiation;not recommended
  • [mod_alias] fix typo in config error message
  • [mod_proxy,mod_cgi] fix dummy Sec-WebSocket-Key
  • [mod_wolfssl] cast to fix compile error
  • [TLS] try DER format if reading PEM format fails
  • [mod_openssl] libressl 3.6.0 ASN1_TIME_cmp_time_t
  • [mod_deflate] skip cache for Cache-Control: private,no-store
  • [mod_webdav] minor cleanups and adjustments
  • [core] http_response_body_clear clears body flags
  • [core] ignore server.max-worker = 1
  • [doc/scripts/cert-staple.sh] *BSD date portability
  • [doc/scripts/cert-staple.sh] short-circuit checks
  • [doc/scripts/cert-staple.sh] add copyright header
  • [meson] fix wrong array
  • [meson] replace most has_function calls with loop
  • [meson] use non string true/false
  • [meson] use files()
  • [meson] remove use of non-existent win32 xgetopt.c
  • [meson] update comment for opts w/ type ‘feature’
  • [core] fix crash for invalid lighttpd.conf (fixes #3175)
  • [build] do not check for pthread.h
  • [cmake] use find_package() to include the PkgConfig module
  • [cmake] use GNUInstallDirs to set defaults for several directories
  • [cmake] use FindOpenSSL cmake module to search for OpenSSL
  • [cmake] remove wolfssl code that would already be handled by CMake
  • [cmake] improve searching for PostgreSQL
  • [cmake] remove needless arguments from xconfig macro
  • [cmake] prefer libpcre.pc over pcre-config
  • [cmake] use CMake’s provided FindZLIB
  • [cmake] use CMake’s provided FindBZip2
  • [cmake] remove path hints where CMake searches by default
  • [cmake] remove use of non-existent win32 xgetopt.c
  • [mod_openssl] mod_openssl_write_err() shared code
  • [mod_openssl] use SSL_sendfile() if KTLS available
  • [mod_gnutls] use gnutls_record_send_file() if KTLS
  • [TLS] handle ‘+’ on ssl-conf-cmd “Options”
  • [TLS] upgrade default cipher list to stronger set
  • [TLS] simplify TLS config; remove deprecated opts
  • [multiple] remove deprecated modules
  • [mod_magnet] remove lighty.r.req_attr[“response.*”]
  • [core] remove libev fdevent option (ignore)
  • [core] _WIN32 impl of plugins_load()
  • [core] check for built-in plugins before dlopen
  • [core] build core modules into lighttpd executable
  • [core] reduce M_TOP_PAD to default on small system
  • [multiple] mark mod_*_plugin_init() funcs cold
  • [core] check ifndef NDEBUG before setting NDEBUG
  • [core] server_main_setup_signals() separate func
  • [core] server_main_setup_workers() separate func
  • [core] server_main_setup() variable scoping
  • [core] ck_calloc() ck_malloc() ck_realloc_u32()
  • [multiple] employ ck_realloc_u32() shared code
  • [core] mark gw_proc_free() cold
  • [core] use data_config_list for config
  • [build] omit unused vector.[ch] from build
  • [mod_wstunnel] store value in tmp before byteswap
  • [core] log_buffer_vsprintf tweaks
  • [multiple] employ ck_calloc, ck_malloc shared code
  • [core] create non-inlined vector_resize()
  • [lighttpd-angel] remove unused includes
  • [core] chunk.c tweaks
  • [core] config_check_cond_nocache_eval() tweak
  • [mod_openssl] CLOSE_NOTIFY handling with KTLS
  • [mod_wolfssl] match mod_openssl CLOSE_NOTIFY
  • [core] ignore config dir-listing.* if not enabled
  • [doc] default lighttpd.conf: omit server.use-ipv6
  • [lighttpd-angel] simplify
  • [tests] disable auth.delay-invalid-creds for tests
  • [mod_deflate] “deflate” should include zlib header
  • [tests] fix “deflate” tests for added zlib header
  • [tests] disable Nagle on client, remove sleeps
  • [core] save ptr to avoid static analyzer realloc warn
  • [core] wrap server_main_setup_workers w/ HAVE_FORK
  • [core] temporarily disable O_NOFOLLOW on Cygwin