Ubuntu
lighttpd package

lighttpd: "SSL: renegotiation initiated by client, killing connection"

Bug #1800605 reported by mschaeffler
This bug report is a duplicate of:  Bug #1832295: lighttpd broken by OpenSSL update. Edit Remove
26
This bug affects 6 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Lighttpd kills every SSL connection with the log line:
    SSL: renegotiation initiated by client, killing connection

s. also:
   https://redmine.lighttpd.net/issues/2912
   https://bugs.archlinux.org/task/60294
   https://bugs.archlinux.org/task/60403

issue is solved with:
   lighttpd 1.4.51-1

Tags: 18.04 18.10

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lighttpd (Ubuntu):
status: New → Confirmed
René Vögeli (rvoegeli)
tags: added: 18.04
Revision history for this message
René Vögeli (rvoegeli) wrote :

Still an issue in bionic after update today (2019-06-13).

Setting

ssl.disable-client-renegotiation = "disable"

in lighttpd.conf helps, but is not really a solution, because of CVE-2009-3555.

lighttpd 1.4.45-1ubuntu3
libssl1.1 1.1.1-1ubuntu2.1~18.04.1

Revision history for this message
Zibri Soft (zibri-) wrote :

1) I didn't write to ask for any help. I am perfectly capable of solving the problem in many ways.

2) I thought you wanted to be informed of this, since google does not give so relevant results on this matter.

3) sorry if I bothered you. Next time I will just keep it to myself.

so long

Revision history for this message
Zibri Soft (zibri-) wrote :

Sorry.. for the previous message.. please delete it. It was intended for lighttpd bug list :D

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.