pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lighttpd 1.4.56 released

Dear package maintainers:

lighttpd 1.4.56 has been released!

This release includes HTTP/2 and substantial TLS enhancements.

Some packaging changes are needed, e.g. dependencies to support
new TLS modules.  IFF lighttpd is built --with-nettle, then the
TLS modules are each standalone.  It is recommended that lighttpd
be built --with-nettle along with making multiple TLS modules
available as options.

  new modules since lighttpd-1.4.55:

  removed modules since lighttpd-1.4.55:
    mod_compress  (subsumed by mod_deflate)

  removed dependencies since lighttpd-1.4.55:
    lighttpd no longer uses FAM or gamin on Linux or *BSD
      (inotify() or kqueue() is used instead)

  Please review lighttpd.conf additions to enable HTTP/2,
  or choose to wait until HTTP/2 is enabled in lighttpd
  in a future release.

### Features
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn

lighttpd 1.4.56

  major new features:
    * HTTP/2 support
      must be enabled in lighttpd 1.4.56;
      may be enabled by default in a future release
      server.feature-flags += ("server.h2proto" => "enable",
                               "server.h2c"     => "enable")
    * TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
      - mod_openssl (existing)
      - mod_mbedtls (experimental)
      - mod_wolfssl (experimental)
      - mod_gnutls  (experimental)
      - mod_nss     (experimental)
    * TLS OCSP stapling (except mbedTLS; not currently supported by mbedTLS)
    * TLS session ticket key rotation control (except NSS; API limitation in NSS)
    * mod_deflate brotli support
    * mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
    * RFC 8297 support for 103 Early Hints produced by backends (scripts)
    * graceful restart option to transfer listen fds (minimal pause)
      server.systemd-socket-activation = "enable"
      server.feature-flags += ("server.graceful-restart-bg" => "enable",
                               "server.graceful-shutdown-timeout" => "15")

    * default MinProtocol TLSv1.2
      TLSv1 and TLSv1.1 are deprecated
      and no longer supported by major browsers.
      If prior behavior is required, configure:
        ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")
      If using openssl <= 1.0.2 (end-of-life)
        ssl.openssl.ssl-conf-cmd =
          ("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")
    * (internal) TLS session cache is disabled,
                 replaced by lighttpd robust TLSv1.2 session ticket support
    * (internal) openssl creates a session ticket encryption key per SSL_CTX.
      lighttpd 1.4.56 and later assigns a single session ticket encryption key
      for the lighttpd server (across all SSL_CTX) for consistency.
    * behavior change with (uncommon); applies to client
      certificate verification and (uncommon)
      If client certificate verification is enabled
        (ssl.verifyclient.activate = "enable"),
      all CAs used for client certificate verification must be present
      in  This is the typical use case when client certificate
      verification is enabled.  Certificates in (optional)
      are used to send issuer names to client when the server sends a client
      certificate request.  These names are use by the client during
      certificate selection, and the server requires that the certificate
      sent by the client be issued by one of the subjects in
      (Prior behavior merged and for trusted CAs.
       New behavior requires all trusted CAs be listed in,
       and a subset be duplicated into to specify allowed
       client cert issuer.)

    mod_deflate: support for bzip2 is now disabled by default in the build
        (enable using ./configure --with-bzip2)
      bzip2 Content-Encoding is not widely supported
      Prefer to build --with-brotli
      brotli Content-Encoding is more widely supported than bzip2

    * HTTP/2 support will be enabled by default in a future release
    * graceful restart/shutdown default timeout will change from
        0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
      configure an alternative with:
        server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
    * mod_compress is DEPRECATED; use mod_deflate
      mod_compress has been subsumed by mod_deflate
      Note: mod_compress config options may be removed in a future release
    * mod_geoip is DEPRECATED; use mod_maxminddb
      Note: mod_geoip will be removed from a future lighttpd release
    * mod_authn_mysql is DEPRECATED; use mod_authn_dbi
      Note: mod_authn_mysql will be removed from a future lighttpd release
    * mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
      Note: mod_mysql_vhost will be removed from a future lighttpd release
    * mod_cml is DEPRECATED; use mod_magnet
      Note: mod_cml will be removed from a future lighttpd release

Home | Main Index | Thread Index | Old Index