[multiple] codespell: correct spelling in comments

[TLS] fix spurious warning trace (fixes #3182)

(thx flynn)

x-ref:
"Test config reports invalid ssl.pemfile in $HTTP["host"] condition"
https://redmine.lighttpd.net/issues/3182

[mod_openssl] CLOSE_NOTIFY handling with KTLS

adjust CLOSE_NOTIFY handling to avoid excess error trace after
SSL_shutdown()

[multiple] employ ck_calloc, ck_malloc shared code

employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)

[multiple] mark mod_*_plugin_init() funcs cold

[TLS] simplify TLS config; remove deprecated opts

simplify TLS config; remove deprecated options

These scheduled lighttpd behavior changes have been announced over
the past year.

lighttpd aims to

[TLS] simplify TLS config; remove deprecated opts

simplify TLS config; remove deprecated options

These scheduled lighttpd behavior changes have been announced over
the past year.

lighttpd aims to provide reasonably secure TLS configuration defaults,
and to periodically review and update TLS configuration defaults.
Doing so reduces the need for distros, packagers, and end-users to
specify their own TLS config customizations, which may then be neglected
or cargo-culted far into the future, instead of being periodically
updated to use stronger defaults.

x-ref:
https://wiki.lighttpd.net/Docs_SSL

show more ...

[TLS] upgrade default cipher list to stronger set

upgrade default cipher list to stronger set, changing default from
"HIGH" to "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"

openssl cip

[TLS] upgrade default cipher list to stronger set

upgrade default cipher list to stronger set, changing default from
"HIGH" to "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"

openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
expands to
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:PSK-CHACHA20-POLY1305"

Most of these ciphers are widely supported and have been for many years.
These scheduled lighttpd behavior changes have been announced over
the past year.

Providing a strong default cipher list reduces the need for distros,
packagers, and end-users to specify their own cipher lists, which may
then be neglected or cargo-culted far into the future, instead of being
periodically updated to use stronger defaults.

x-ref:
https://wiki.lighttpd.net/Docs_SSL

show more ...

[TLS] handle '+' on ssl-conf-cmd "Options"

[mod_openssl] use SSL_sendfile() if KTLS available

For HTTP/1.x responses streaming files from disk,
SSL_sendfile() (when KTLS is available) might reduce
CPU usage and copying between userspace and

[mod_openssl] use SSL_sendfile() if KTLS available

For HTTP/1.x responses streaming files from disk,
SSL_sendfile() (when KTLS is available) might reduce
CPU usage and copying between userspace and kernel.

disable with: ssl.openssl.ssl-conf-cmd += ( "Options" => "-KTLS" )

show more ...

[mod_openssl] mod_openssl_write_err() shared code

[mod_openssl] libressl 3.6.0 ASN1_TIME_cmp_time_t

libressl 3.6.0 added ASN1_TIME_cmp_time_t()

[TLS] try DER format if reading PEM format fails

try DER format if reading PEM format fails for ssl.pemfile, ssl.privkey

[TLS] ssl.openssl.ssl-conf-cmd "DHParameters"

support "DHParameters" in ssl.openssl.ssl-conf-cmd
(replacement for ssl.dh-file)

isolate code setting DHParameters into its own subroutine (code reuse)

[TLS] ssl.openssl.ssl-conf-cmd "DHParameters"

support "DHParameters" in ssl.openssl.ssl-conf-cmd
(replacement for ssl.dh-file)

isolate code setting DHParameters into its own subroutine (code reuse)

Note: TLS library defaults should be preferred over specifying DH params

show more ...

[mod_openssl] compile compat w/ openssl < 1.1.0

(thx gmd20)

github: closes #112

[TLS] inherit ssl.engine from global scope

Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions. When

[TLS] inherit ssl.engine from global scope

Since lighttpd 1.4.56, an oversight in config processing missed
setting explicitly p->conf.ssl_enabled = 0 in network.c when
initializing conditions. When ssl.engine = "enable" in lighttpd.conf
global scope, the missing reset in network.c required non-TLS ports
(e.g. $SERVER["socket"] == ":80") to contain ssl.engine = "disable"
in order for requests to those ports to be served rather than erroring.

(This error was discovered during collaboration with jens-maus in
https://github.com/jens-maus/RaspberryMatic/pull/1847)

There have been zero other instances of this error reported since the
release of lighttpd 1.4.56 in Nov 2020.

Therefore, having ssl.engine = "enable" inherited from the global scope
is unlikely to have any widespread impact in practice, and enabling
ssl.engine = "enable" (along with TLS certificate configuration) is now
recommended as default. When ssl.engine = "enable" in the global scope,
ssl.engine = "disable" should be specified in those $SERVER["socket"]
conditions where clear-text is desired.

show more ...

[multiple] simplify bytes_in/bytes_out accounting

encapsulate accounting calculations in
http_request_stats_bytes_in()
http_request_stats_bytes_out()

more accurate accounting for HTTP/1.1 bytes_i

[multiple] simplify bytes_in/bytes_out accounting

encapsulate accounting calculations in
http_request_stats_bytes_in()
http_request_stats_bytes_out()

more accurate accounting for HTTP/1.1 bytes_in on keep-alive requests
(affects case where client pipelines HTTP/1.1 requests)

remove con->bytes_read and con->bytes_written
(no longer needed since request_st was split from connection struct
and request bytes_read_ckpt and bytes_written_ckpt are maintained
for HTTP/1.x bytes_in and bytes_out accounting. Also, further back,
chunkqueue internal accounting was simplified to maintain bytes_in
and bytes_out to always match chunkqueue length)

show more ...

[multiple] reset http vers, avoid rare crash (fixes #3152)

(thx ultimator)

do not set r->http_version to HTTP_VERSION_2 when selecting TLS ALPN
if r->handler_module already set, since handler modul

[multiple] reset http vers, avoid rare crash (fixes #3152)

(thx ultimator)

do not set r->http_version to HTTP_VERSION_2 when selecting TLS ALPN
if r->handler_module already set, since handler module is likely
mod_sockproxy, and con->h2 will not get initialized.

This does continue to select "h2", so the mod_sockproxy backend
should be prepared to receive the HTTP/2 client connection preface.

x-ref:
"Random Segfaults with version 1.4.64 w/ mod_sockproxy and ALPN h2"
https://redmine.lighttpd.net/issues/3152

show more ...

[multiple] limit scope of socket config options

warn if socket config options used only at startup are used outside
global scope or $SERVER["socket"] with '==' condition

[TLS] warn if leaf cert read is inactive/expired

When reading certificates, warn if leaf certificate is inactive/expired
(according to notBefore, notAfter fields of leaf certificate)
(note: not addi

[TLS] warn if leaf cert read is inactive/expired

When reading certificates, warn if leaf certificate is inactive/expired
(according to notBefore, notAfter fields of leaf certificate)
(note: not adding a delta for fudge factor when comparing times)
(note: not currently verifying each certificate in chain)

show more ...

[mod_openssl] libressl v3.5.0 adds ASN1_TIME_diff

[mod_openssl] do not esc UTF-8 in cert subject

unset flag which escapes chars with most-significant-bit set
for clean display of non-ASCII UTF-8 chars in cert subject

x-ref:
man X509_NAME_oneline

[mod_openssl] do not esc UTF-8 in cert subject

unset flag which escapes chars with most-significant-bit set
for clean display of non-ASCII UTF-8 chars in cert subject

x-ref:
man X509_NAME_oneline
man ASN1_STRING_print_ex

show more ...

[build] feature consistency between build types

upate config.h.cmake for missing defines
minor adjustments to other builds for features consistency

[core] add remote IP to some error msgs (fixes #3122)

add remote IP to some select error msgs

x-ref:
"Error messages should include client IP"
https://redmine.lighttpd.net/issues/3122

[mod_openssl] boringssl compat

[multiple] clarify error msg when no cert avail