1.4.75

Important changes

• incrementally stronger TLS cipher defaults; bugs fixes

Downloads

• lighttpd-1.4.75.tar.gz (GPG signature)
  • SHA256: 283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97
• lighttpd-1.4.75.tar.xz (GPG signature)
  • SHA256: 8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6
• SHA256 checksums
• SHA512 checksums

Behavior Changes: (previously announced)

• TLS cipher defaults have been incrementally updated to stronger defaults New defaults are forward-secret and support authenticated encryption (AEAD) New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
• mod_redirect: default url.redirect-code for HTTP/1.1 and later has been changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

Future Scheduled Behavior Changes: (2025)

• lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
• server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

Changes from 1.4.74

• [mod_redirect] url.redirect-code = 308 new default
• [ls-hpack] more portability fixes for sys/queue.h
• [ls-hpack] update version to 2.3.3
• [TLS] default to stronger ciphers w/ PFS and AEAD
• [ci] apt-get install build-essential on Ubuntu
• [ci] /usr/local/opt keg-only pkgs on Darwin(macOS)
• [mod_authn_sasl] translate SASL_LOG_* to syslog
• [build] include src/compat/sys/queue.h in tarball
• [core] fdlog_openlog(), fdlog_closelog()
• [mod_accesslog] fdlog_openlog() if using syslog
• [cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE
• [ci] limit github ci to specific branches
• [ci] prefer non-login shell for Cygwin CI build
• [ci] prefer dash for Cygwin and MSYS2 builds
• [mod_wstunnel] fix server.ping-interval w/ HTTP/2
• [mod_dirlisting] fix suffix display of ‘/’ on file (fixes #3242)
• [mod_openssl] use internal asn1_time fn on 32-bit (fixes #3244)
• [mod_openssl] faster ASN1_TIME parse
• [mod_wolfssl] faster ASN1_TIME parse
• [doc] update TLS comment in sample lighttpd.conf