-# Revision 2812
+# Revision 2815
Index: src/http_auth_digest.c
===================================================================
--- src/http_auth_digest.c (.../tags/lighttpd-1.4.29)
cv[62].destination = &(s->ssl_use_sslv3);
cv[63].destination = s->ssl_dh_file;
cv[64].destination = s->ssl_ec_curve;
-+ cv[65].destination = &(s->ssl_honor_cipher_order);
++ cv[66].destination = &(s->ssl_honor_cipher_order);
+
cv[49].destination = &(s->etag_use_inode);
cv[50].destination = &(s->etag_use_mtime);
unsigned long err;
switch ((ssl_r = SSL_get_error(ssl, r))) {
-@@ -243,6 +259,7 @@
+@@ -243,12 +259,13 @@
} else {
c->offset += r;
cq->bytes_out += r;
}
if (c->offset == c->file.length) {
+ chunk_finished = 1;
+ }
+- } while(!chunk_finished && !write_wait);
++ } while (!chunk_finished && !write_wait && max_bytes > 0);
+
+ break;
+ }
@@ -263,11 +280,9 @@
break;
===================================================================
--- doc/config/lighttpd.conf (.../tags/lighttpd-1.4.29)
+++ doc/config/lighttpd.conf (.../branches/lighttpd-1.4.x)
-@@ -394,6 +394,8 @@
+@@ -394,6 +394,25 @@
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
++## #
++## # Mitigate BEAST attack:
++## #
++## # A stricter base cipher suite. For details see:
+## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
-+## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
++## #
++## # Make the server prefer the order of the server side cipher suite instead of the client suite.
++## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
++## # This option is enabled by default, but only used if ssl.ciphers is set.
++## #
++## # ssl.honor-cipher-order = "enable"
++## #
++## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
++## # This is enabled by default.
++## #
++## # ssl.disable-client-renegotiation = "enable"
++## #
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"
===================================================================
--- NEWS (.../tags/lighttpd-1.4.29)
+++ NEWS (.../branches/lighttpd-1.4.x)
-@@ -3,7 +3,19 @@
+@@ -3,7 +3,20 @@
NEWS
====
+ * [ssl] count renegotiations to prevent client renegotiations
+ * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
+ * [core] accept dots in ipv6 addresses in host header (fixes #2359)
++ * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
+
+- 1.4.29 - 2011-07-03
* Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259)