pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lighttpd 1.4.56 released
Dear package maintainers:
lighttpd 1.4.56 has been released!
This release includes HTTP/2 and substantial TLS enhancements.
Some packaging changes are needed, e.g. dependencies to support
new TLS modules. IFF lighttpd is built --with-nettle, then the
TLS modules are each standalone. It is recommended that lighttpd
be built --with-nettle along with making multiple TLS modules
available as options.
new modules since lighttpd-1.4.55:
mod_authn_dbi
mod_gnutls
mod_mbedtls
mod_nss
mod_wolfssl
removed modules since lighttpd-1.4.55:
mod_compress (subsumed by mod_deflate)
removed dependencies since lighttpd-1.4.55:
lighttpd no longer uses FAM or gamin on Linux or *BSD
(inotify() or kqueue() is used instead)
Please review lighttpd.conf additions to enable HTTP/2,
or choose to wait until HTTP/2 is enabled in lighttpd
in a future release.
### Features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags += ("server.h2proto" => "enable")
server.feature-flags += ("server.h2c" => "enable")
server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags += ("server.graceful-restart-bg" => "enable")
Please let me know if you have any questions or issues. Thank you!
Cheers, Glenn
lighttpd 1.4.56
---------------
major new features:
* HTTP/2 support
must be enabled in lighttpd 1.4.56;
may be enabled by default in a future release
server.feature-flags += ("server.h2proto" => "enable",
"server.h2c" => "enable")
* TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
- mod_openssl (existing)
- mod_mbedtls (experimental)
- mod_wolfssl (experimental)
- mod_gnutls (experimental)
- mod_nss (experimental)
* TLS OCSP stapling (except mbedTLS; not currently supported by mbedTLS)
* TLS session ticket key rotation control (except NSS; API limitation in NSS)
* mod_deflate brotli support
* mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
* RFC 8297 support for 103 Early Hints produced by backends (scripts)
* graceful restart option to transfer listen fds (minimal pause)
server.systemd-socket-activation = "enable"
server.feature-flags += ("server.graceful-restart-bg" => "enable",
"server.graceful-shutdown-timeout" => "15")
BEHAVIOR CHANGES:
mod_openssl:
* default MinProtocol TLSv1.2
TLSv1 and TLSv1.1 are deprecated
and no longer supported by major browsers.
https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
If prior behavior is required, configure:
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
If using openssl <= 1.0.2 (end-of-life)
ssl.openssl.ssl-conf-cmd =
("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")
* (internal) TLS session cache is disabled,
replaced by lighttpd robust TLSv1.2 session ticket support
* (internal) openssl creates a session ticket encryption key per SSL_CTX.
lighttpd 1.4.56 and later assigns a single session ticket encryption key
for the lighttpd server (across all SSL_CTX) for consistency.
* behavior change with ssl.ca-dn-file (uncommon); applies to client
certificate verification and ssl.ca-dn-file (uncommon)
If client certificate verification is enabled
(ssl.verifyclient.activate = "enable"),
all CAs used for client certificate verification must be present
in ssl.ca-file. This is the typical use case when client certificate
verification is enabled. Certificates in (optional) ssl.ca-dn-file
are used to send issuer names to client when the server sends a client
certificate request. These names are use by the client during
certificate selection, and the server requires that the certificate
sent by the client be issued by one of the subjects in ssl.ca-dn-file.
(Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
New behavior requires all trusted CAs be listed in ssl.ca-file,
and a subset be duplicated into ssl.ca-dn-file to specify allowed
client cert issuer.)
mod_deflate: support for bzip2 is now disabled by default in the build
(enable using ./configure --with-bzip2)
bzip2 Content-Encoding is not widely supported
Prefer to build --with-brotli
brotli Content-Encoding is more widely supported than bzip2
FUTURE BEHAVIOR CHANGES:
* HTTP/2 support will be enabled by default in a future release
* graceful restart/shutdown default timeout will change from
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
configure an alternative with:
server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
* mod_compress is DEPRECATED; use mod_deflate
mod_compress has been subsumed by mod_deflate
Note: mod_compress config options may be removed in a future release
* mod_geoip is DEPRECATED; use mod_maxminddb
Note: mod_geoip will be removed from a future lighttpd release
* mod_authn_mysql is DEPRECATED; use mod_authn_dbi
Note: mod_authn_mysql will be removed from a future lighttpd release
* mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
Note: mod_mysql_vhost will be removed from a future lighttpd release
* mod_cml is DEPRECATED; use mod_magnet
Note: mod_cml will be removed from a future lighttpd release
Home |
Main Index |
Thread Index |
Old Index