pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lighttpd 1.4.56 released



Dear package maintainers:

lighttpd 1.4.56 has been released!

This release includes HTTP/2 and substantial TLS enhancements.

Some packaging changes are needed, e.g. dependencies to support
new TLS modules.  IFF lighttpd is built --with-nettle, then the
TLS modules are each standalone.  It is recommended that lighttpd
be built --with-nettle along with making multiple TLS modules
available as options.

  new modules since lighttpd-1.4.55:
    mod_authn_dbi
    mod_gnutls
    mod_mbedtls
    mod_nss
    mod_wolfssl

  removed modules since lighttpd-1.4.55:
    mod_compress  (subsumed by mod_deflate)

  removed dependencies since lighttpd-1.4.55:
    lighttpd no longer uses FAM or gamin on Linux or *BSD
      (inotify() or kqueue() is used instead)

  Please review lighttpd.conf additions to enable HTTP/2,
  or choose to wait until HTTP/2 is enabled in lighttpd
  in a future release.

### Features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn


lighttpd 1.4.56
---------------

  major new features:
    * HTTP/2 support
      must be enabled in lighttpd 1.4.56;
      may be enabled by default in a future release
      server.feature-flags += ("server.h2proto" => "enable",
                               "server.h2c"     => "enable")
    * TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
      - mod_openssl (existing)
      - mod_mbedtls (experimental)
      - mod_wolfssl (experimental)
      - mod_gnutls  (experimental)
      - mod_nss     (experimental)
    * TLS OCSP stapling (except mbedTLS; not currently supported by mbedTLS)
    * TLS session ticket key rotation control (except NSS; API limitation in NSS)
    * mod_deflate brotli support
    * mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
    * RFC 8297 support for 103 Early Hints produced by backends (scripts)
    * graceful restart option to transfer listen fds (minimal pause)
      server.systemd-socket-activation = "enable"
      server.feature-flags += ("server.graceful-restart-bg" => "enable",
                               "server.graceful-shutdown-timeout" => "15")

  BEHAVIOR CHANGES:
    mod_openssl:
    * default MinProtocol TLSv1.2
      TLSv1 and TLSv1.1 are deprecated
      and no longer supported by major browsers.
      https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
      If prior behavior is required, configure:
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
      If using openssl <= 1.0.2 (end-of-life)
        ssl.openssl.ssl-conf-cmd =
          ("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")
    * (internal) TLS session cache is disabled,
                 replaced by lighttpd robust TLSv1.2 session ticket support
    * (internal) openssl creates a session ticket encryption key per SSL_CTX.
      lighttpd 1.4.56 and later assigns a single session ticket encryption key
      for the lighttpd server (across all SSL_CTX) for consistency.
    * behavior change with ssl.ca-dn-file (uncommon); applies to client
      certificate verification and ssl.ca-dn-file (uncommon)
      If client certificate verification is enabled
        (ssl.verifyclient.activate = "enable"),
      all CAs used for client certificate verification must be present
      in ssl.ca-file.  This is the typical use case when client certificate
      verification is enabled.  Certificates in (optional) ssl.ca-dn-file
      are used to send issuer names to client when the server sends a client
      certificate request.  These names are use by the client during
      certificate selection, and the server requires that the certificate
      sent by the client be issued by one of the subjects in ssl.ca-dn-file.
      (Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
       New behavior requires all trusted CAs be listed in ssl.ca-file,
       and a subset be duplicated into ssl.ca-dn-file to specify allowed
       client cert issuer.)

    mod_deflate: support for bzip2 is now disabled by default in the build
        (enable using ./configure --with-bzip2)
      bzip2 Content-Encoding is not widely supported
      Prefer to build --with-brotli
      brotli Content-Encoding is more widely supported than bzip2

  FUTURE BEHAVIOR CHANGES:
    * HTTP/2 support will be enabled by default in a future release
    * graceful restart/shutdown default timeout will change from
        0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
      configure an alternative with:
        server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
    * mod_compress is DEPRECATED; use mod_deflate
      mod_compress has been subsumed by mod_deflate
      Note: mod_compress config options may be removed in a future release
    * mod_geoip is DEPRECATED; use mod_maxminddb
      Note: mod_geoip will be removed from a future lighttpd release
    * mod_authn_mysql is DEPRECATED; use mod_authn_dbi
      Note: mod_authn_mysql will be removed from a future lighttpd release
    * mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
      Note: mod_mysql_vhost will be removed from a future lighttpd release
    * mod_cml is DEPRECATED; use mod_magnet
      Note: mod_cml will be removed from a future lighttpd release


Home | Main Index | Thread Index | Old Index