lighttpd: fix missing support for OpenSSL crypto library #24004
Conversation
|
Thank you. I'll try to look into this later next week. |
|
Took a quick look to refresh myself. For the patch in this PR to work as desired, changes would need to be made to lighttpd source code, too. This distinction is important: Nettle provides crypto functions, such as SHA-256. TLS libraries -- such as openssl, mbedtls, wolfssl, and gnutls -- provide TLS functions and also provide crypto functions. Each TLS modules built for lighttpd use the associated TLS library, e.g. lighttpd mod_openssl uses openssl; lighttpd mod_mbedtls uses mbedtls; etc. The lighttpd base application (separate from the lighttpd TLS modules) may use some crypto functions. To keep things small and portable, if lighttpd is built with Nettle, then Nettle is the default crypto library used by the lighttpd base application. Again, each lighttpd TLS module uses the associated TLS library. Now then, if lighttpd is built with a single TLS library (and without Nettle), then the lighttpd base application will use the crypto functions from that TLS library. However, for packaging in Linux distributions, lighttpd might be built with multiple TLS modules, and each TLS module uses the associated TLS library. Unfortunately, lighttpd currently does not provide a separate, first-class option to pick the crypto library used by the lighttpd base application. For the benefit of embedded systems where everything in the base system might use a single TLS library, there are special cases to use mbedtls or wolfssl. When one of those options are chosen lighttpd is compiled with It is not a complex patch to lighttpd, so maybe in the next release of lighttpd, I'll extend the lighttpd special cases for tl;dr: additional (small) changes are needed to this patch and to upstream lighttpd source code before this patch can be accepted. |
|
Untested patch to lighttpd. |
ynezz
force-pushed
the
ynezz/lighttpd-openssl-fix
branch
from
dc56fbe
to
5e3da8c
Compare
Thanks, done. |
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. This change will provide the necessary dependency resolution, fixing: Package lighttpd is missing dependencies for the following libraries: libcrypto.so.3 Fixes: openwrt#23794 Co-developed-by:: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
ynezz
force-pushed
the
ynezz/lighttpd-openssl-fix
branch
from
5e3da8c
to
4326181
Compare
|
@ynezz thank you for the detailed rewording of the my explanation in your patch. Should the other items (not part of your changes) be libnettle, libmbedtls, and libwolfssl? FYI: for completeness, I am going to add a gnutls crypto option, too. |
add preprocessor option to force crypto lib used by lighttpd base -DFORCE_OPENSSL_CRYPTO for OpenSSL or -DFORCE_GNUTLS_CRYPTO for GnuTLS in addition to the already-existing -DFORCE_MBEDTLS_CRYPTO for mbed TLS or -DFORCE_WOLFSSL_CRYPTO for WolfSSL This allows building lighttpd with support for multiple TLS modules, and at the same time specifying the lighttpd base crypto lib dependency. (Packages such as OpenWRT lighttpd package would need to update package dependency along with specifying the preprocessor define) If lighttpd is built with meson and without "-Dwith_nettle=true", then lighttpd will use mbed TLS if built with "-Dwith_mbedtls", so the preprocessor option is not strictly necessary for mbed TLS. However, if built with "-Dwith_mbedtls" and "-Dwith_wolfssl" *and* without "-Dwith_nettle=true" *and* lighttpd base crypto dependency on WolfSSL is desired, then CFLAGS -DFORCE_WOLFSSL_CRYPTO is needed, e.g. with a patch to add it to 'defs' near the top of src/meson.build. The defines -DFORCE_OPENSSL_CRYPTO or -DFORCE_GNUTLS_CRYPTO are similar to -DFORCE_WOLFSSL_CRYPTO in that they must be specified to have the desired effect. If any -DFORCE_*_CRYPTO is defined, then lighttpd will not use Nettle and *should not* be built with "-Dwith_nettle=true", in order to avoid an unnecessary link dependency (though also handled in meson.build). x-ref: "lighttpd authentication modules depends on libnettle" openwrt/packages#18851 "lighttpd: fix missing support for OpenSSL crypto library" openwrt/packages#24004
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Details of patch: Each TLS module in lighttpd is built to utilize its corresponding TLS library. For example, lighttpd's mod_openssl module utilizes OpenSSL, and its mod_mbedtls module uses mbedTLS. Separately, the core lighttpd application may employ cryptographic functions. For efficiency and portability, if lighttpd is compiled with Nettle, it becomes the default cryptographic library for the base application. However, each TLS module within lighttpd still relies on its respective TLS library. In scenarios where lighttpd is configured with only one TLS library and without Nettle, the base application adopts the cryptographic functions from that specific TLS library. When preparing for Linux distributions, lighttpd might be built with several TLS modules, where each module uses its designated TLS library. Presently, lighttpd does not offer a distinct, dedicated option to select the cryptographic library for the base application. In contexts like embedded systems, where a single TLS library might be utilized across the entire base system, specific configurations allow the use of either mbedTLS or wolfSSL. For these, lighttpd is compiled with -DFORCE_MBEDTLS_CRYPTO or -DFORCE_WOLFSSL_CRYPTO, respectively. To extend this capability, let's introduce the FORCE_OPENSSL_CRYPTO define, enabling lighttpd to also use OpenSSL as an additional cryptographic library, akin to the existing support for mbedTLS and wolfSSL. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. Similarly, propose GnuTLS as additional configuration option. Closes: openwrt#24004 Co-developed-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
Maintainer: @gstrauss
Compile tested: x86-64, cortex-a53, cortex-a9
Run tested: x86-64, cortex-a53, cortex-a9
Description:
Currently, it is not feasible to configure lighttpd to use OpenSSL as its internal crypto library. Instead, one must rely on alternative crypto libraries such as Nettle or mbedTLS. This setup is not ideal in scenarios where a single crypto library is preferred. To address this issue, lets propose introducing OpenSSL as an additional configuration option. This change will provide the necessary dependency resolution, fixing:
Fixes: #23794