lighttpd: fix missing support for OpenSSL crypto library #24004
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you. I'll try to look into this later next week. |
|
Took a quick look to refresh myself. For the patch in this PR to work as desired, changes would need to be made to lighttpd source code, too. This distinction is important: Nettle provides crypto functions, such as SHA-256. TLS libraries -- such as openssl, mbedtls, wolfssl, and gnutls -- provide TLS functions and also provide crypto functions. Each TLS modules built for lighttpd use the associated TLS library, e.g. lighttpd mod_openssl uses openssl; lighttpd mod_mbedtls uses mbedtls; etc. The lighttpd base application (separate from the lighttpd TLS modules) may use some crypto functions. To keep things small and portable, if lighttpd is built with Nettle, then Nettle is the default crypto library used by the lighttpd base application. Again, each lighttpd TLS module uses the associated TLS library. Now then, if lighttpd is built with a single TLS library (and without Nettle), then the lighttpd base application will use the crypto functions from that TLS library. However, for packaging in Linux distributions, lighttpd might be built with multiple TLS modules, and each TLS module uses the associated TLS library. Unfortunately, lighttpd currently does not provide a separate, first-class option to pick the crypto library used by the lighttpd base application. For the benefit of embedded systems where everything in the base system might use a single TLS library, there are special cases to use mbedtls or wolfssl. When one of those options are chosen lighttpd is compiled with It is not a complex patch to lighttpd, so maybe in the next release of lighttpd, I'll extend the lighttpd special cases for tl;dr: additional (small) changes are needed to this patch and to upstream lighttpd source code before this patch can be accepted. |
|
Untested patch to lighttpd. |
ynezz
force-pushed
the
ynezz/lighttpd-openssl-fix
branch
from
dc56fbe to
5e3da8c
Compare
Thanks, done. |
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. This change will provide the necessary dependency resolution, fixing: Package lighttpd is missing dependencies for the following libraries: libcrypto.so.3 Fixes: openwrt#23794 Co-developed-by:: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
ynezz
force-pushed
the
ynezz/lighttpd-openssl-fix
branch
from
5e3da8c to
4326181
Compare
|
@ynezz thank you for the detailed rewording of the my explanation in your patch. Should the other items (not part of your changes) be libnettle, libmbedtls, and libwolfssl? FYI: for completeness, I am going to add a gnutls crypto option, too. |
lighttpd-git
pushed a commit
to lighttpd/lighttpd1.4
that referenced
this pull request
May 9, 2024
add preprocessor option to force crypto lib used by lighttpd base -DFORCE_OPENSSL_CRYPTO for OpenSSL or -DFORCE_GNUTLS_CRYPTO for GnuTLS in addition to the already-existing -DFORCE_MBEDTLS_CRYPTO for mbed TLS or -DFORCE_WOLFSSL_CRYPTO for WolfSSL This allows building lighttpd with support for multiple TLS modules, and at the same time specifying the lighttpd base crypto lib dependency. (Packages such as OpenWRT lighttpd package would need to update package dependency along with specifying the preprocessor define) If lighttpd is built with meson and without "-Dwith_nettle=true", then lighttpd will use mbed TLS if built with "-Dwith_mbedtls", so the preprocessor option is not strictly necessary for mbed TLS. However, if built with "-Dwith_mbedtls" and "-Dwith_wolfssl" *and* without "-Dwith_nettle=true" *and* lighttpd base crypto dependency on WolfSSL is desired, then CFLAGS -DFORCE_WOLFSSL_CRYPTO is needed, e.g. with a patch to add it to 'defs' near the top of src/meson.build. The defines -DFORCE_OPENSSL_CRYPTO or -DFORCE_GNUTLS_CRYPTO are similar to -DFORCE_WOLFSSL_CRYPTO in that they must be specified to have the desired effect. If any -DFORCE_*_CRYPTO is defined, then lighttpd will not use Nettle and *should not* be built with "-Dwith_nettle=true", in order to avoid an unnecessary link dependency (though also handled in meson.build). x-ref: "lighttpd authentication modules depends on libnettle" openwrt/packages#18851 "lighttpd: fix missing support for OpenSSL crypto library" openwrt/packages#24004
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Details of patch: Each TLS module in lighttpd is built to utilize its corresponding TLS library. For example, lighttpd's mod_openssl module utilizes OpenSSL, and its mod_mbedtls module uses mbedTLS. Separately, the core lighttpd application may employ cryptographic functions. For efficiency and portability, if lighttpd is compiled with Nettle, it becomes the default cryptographic library for the base application. However, each TLS module within lighttpd still relies on its respective TLS library. In scenarios where lighttpd is configured with only one TLS library and without Nettle, the base application adopts the cryptographic functions from that specific TLS library. When preparing for Linux distributions, lighttpd might be built with several TLS modules, where each module uses its designated TLS library. Presently, lighttpd does not offer a distinct, dedicated option to select the cryptographic library for the base application. In contexts like embedded systems, where a single TLS library might be utilized across the entire base system, specific configurations allow the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively. To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO define, enabling lighttpd to also use OpenSSL as an additional cryptographic library, akin to the existing support for mbedTLS and wolfSSL. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
May 12, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
liudf0716
pushed a commit
to liudf0716/packages
that referenced
this pull request
May 27, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
mhusaam
pushed a commit
to mhusaam/packages
that referenced
this pull request
May 28, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]>
ynezz
added a commit
to ynezz/openwrt-packages
that referenced
this pull request
Jun 14, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]> (cherry picked from commit 8c9597f)
gstrauss
pushed a commit
to gstrauss/openwrt-packages
that referenced
this pull request
Jun 20, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]> (cherry picked from commit 8c9597f)
1715173329
pushed a commit
that referenced
this pull request
Jun 20, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: #24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]> (cherry picked from commit 8c9597f)
1715173329
pushed a commit
that referenced
this pull request
Jun 20, 2024
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: #24004 Co-developed-by: Glenn Strauss <[email protected]> Signed-off-by: Glenn Strauss <[email protected]> Signed-off-by: Petr Štetiar <[email protected]> (cherry picked from commit 8c9597f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Maintainer: @gstrauss
Compile tested: x86-64, cortex-a53, cortex-a9
Run tested: x86-64, cortex-a53, cortex-a9
Description:
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. This change will provide the necessary dependency resolution, fixing:
Fixes: #23794