NetBSD Problem Report #58878
From www@netbsd.org Fri Dec 6 01:03:00 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B76701A9238
for <gnats-bugs@gnats.NetBSD.org>; Fri, 6 Dec 2024 01:03:00 +0000 (UTC)
Message-Id: <20241206010259.6F9D81A923B@mollari.NetBSD.org>
Date: Fri, 6 Dec 2024 01:02:59 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: bozohttpd rejects tls1.1 and tls1.2 by default
X-Send-Pr-Version: www-1.0
>Number: 58878
>Category: bin
>Synopsis: bozohttpd rejects tls1.1 and tls1.2 by default
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: mrg
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Dec 06 01:05:00 +0000 2024
>Last-Modified: Thu May 07 17:30:01 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 10
>Organization:
The NetBozo1.3 Foundation
>Environment:
>Description:
Since merging support for restricting TLS versions as part of https://gnats.netbsd.org/55830, bozohttpd(8) has defaulted to _rejecting_ TLSv1.1 and TLSv1.2 by default, accepting only TLSv1.3.
79 /* Default to TLS 1.3. */
80 struct {
81 unsigned proto;
82 const char *name;
83 } protos[] = {
84 { TLS1_3_VERSION, "TLSv1.3" },
85 { TLS1_2_VERSION, "TLSv1.2" },
86 { TLS1_1_VERSION, "TLSv1.1" },
87 { 0, NULL },
88 };
89
90 static int
91 bozo_ssl_proto(const char *name)
92 {
93 unsigned i;
94
95 if (name)
96 for (i = 0; protos[0].proto != 0; i++)
97 if (strcasecmp(name, protos[i].name) == 0)
98 return protos[i].proto;
99 return protos[0].proto;
100 }
https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#79
265 proto = bozo_ssl_proto(httpd->ssl_min_proto);
266
267 if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#265
Thus, if you don't specify `bozohttpd -m TLSv1.1', bozohttpd will reject TLSv1.1 and TLSv1.2.
>How-To-Repeat:
1. run bozohttpd at example.com
2. curl --head --tls-max 1.1 https://example.com
>Fix:
Yes, please!
I think it would be reasonable to defer the default choice to OpenSSL instead of insisting on TLSv1.3. (While TLSv1.3 is certainly better than 1.1 and 1.2, there are plenty clients that still use those -- like Fastly... They aren't quite as obsolete as SSLv2 or SSLv3 are today.)
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Fri, 06 Dec 2024 01:51:31 +0000
Responsible-Changed-Why:
over to the friendly neighbourhood bozo
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58878 CVS commit: src/libexec/httpd
Date: Sun, 3 May 2026 21:49:10 +0000
Module Name: src
Committed By: mrg
Date: Sun May 3 21:49:10 UTC 2026
Modified Files:
src/libexec/httpd: ssl-bozo.c
Log Message:
make the default min TLS version 1.1, as it was documented to be.
fixes PR#58878.
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58878 CVS commit: src/libexec/httpd
Date: Sun, 3 May 2026 21:52:14 +0000
Module Name: src
Committed By: mrg
Date: Sun May 3 21:52:14 UTC 2026
Modified Files:
src/libexec/httpd: CHANGES bozohttpd.8 bozohttpd.c
Log Message:
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.100 -r1.101 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.151 -r1.152 src/libexec/httpd/bozohttpd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58878 CVS commit: pkgsrc/www/bozohttpd
Date: Sun, 3 May 2026 22:04:04 +0000
Module Name: pkgsrc
Committed By: mrg
Date: Sun May 3 22:04:04 UTC 2026
Modified Files:
pkgsrc/www/bozohttpd: Makefile distinfo
Log Message:
upgrade to bozohttpd 20260503. changes include:
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
o make directory listings mobile friendly. from D. Bohdan.
To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.104 pkgsrc/www/bozohttpd/Makefile
cvs rdiff -u -r1.78 -r1.79 pkgsrc/www/bozohttpd/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58878 CVS commit: [netbsd-11] src/libexec/httpd
Date: Thu, 7 May 2026 15:51:07 +0000
Module Name: src
Committed By: martin
Date: Thu May 7 15:51:07 UTC 2026
Modified Files:
src/libexec/httpd [netbsd-11]: CHANGES auth-bozo.c bozohttpd.8
bozohttpd.c bozohttpd.h daemon-bozo.c lua-bozo.c ssl-bozo.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #268):
libexec/httpd/CHANGES: revision 1.57
libexec/httpd/daemon-bozo.c: revision 1.23
libexec/httpd/bozohttpd.8: revision 1.101
libexec/httpd/lua-bozo.c: revision 1.16
libexec/httpd/auth-bozo.c: revision 1.29
libexec/httpd/bozohttpd.h: revision 1.74
libexec/httpd/ssl-bozo.c: revision 1.35
libexec/httpd/ssl-bozo.c: revision 1.36
libexec/httpd/ssl-bozo.c: revision 1.37
libexec/httpd/bozohttpd.c: revision 1.150
libexec/httpd/bozohttpd.c: revision 1.151
libexec/httpd/bozohttpd.c: revision 1.152
Fix iteration over protos[] to prevent out-of-bounds access
Fix use-after-free in the "<a rel="nofollow" href="http://"">http://"</a>; case
Fix double free of uri (later handled by bozo_clean_request())
Fix off-by-one in case user provided '\x80' in the auth string
log the correct port when using https.
fixes PR#59644.
make the default min TLS version 1.1, as it was documented to be.
fixes PR#58878.
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.56.4.1 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.28 -r1.28.4.1 src/libexec/httpd/auth-bozo.c
cvs rdiff -u -r1.100 -r1.100.2.1 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.149 -r1.149.2.1 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.73 -r1.73.6.1 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.22 -r1.22.10.1 src/libexec/httpd/daemon-bozo.c
cvs rdiff -u -r1.15 -r1.15.24.1 src/libexec/httpd/lua-bozo.c
cvs rdiff -u -r1.34 -r1.34.4.1 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58878 CVS commit: [netbsd-10] src/libexec/httpd
Date: Thu, 7 May 2026 17:29:08 +0000
Module Name: src
Committed By: martin
Date: Thu May 7 17:29:08 UTC 2026
Modified Files:
src/libexec/httpd [netbsd-10]: CHANGES auth-bozo.c bozohttpd.8
bozohttpd.c bozohttpd.h daemon-bozo.c lua-bozo.c ssl-bozo.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1265):
libexec/httpd/CHANGES: revision 1.57
libexec/httpd/daemon-bozo.c: revision 1.23
libexec/httpd/bozohttpd.8: revision 1.101
libexec/httpd/lua-bozo.c: revision 1.16
libexec/httpd/auth-bozo.c: revision 1.29
libexec/httpd/bozohttpd.h: revision 1.74
libexec/httpd/ssl-bozo.c: revision 1.35
libexec/httpd/ssl-bozo.c: revision 1.36
libexec/httpd/ssl-bozo.c: revision 1.37
libexec/httpd/bozohttpd.c: revision 1.150
libexec/httpd/bozohttpd.c: revision 1.151
libexec/httpd/bozohttpd.c: revision 1.152
Fix iteration over protos[] to prevent out-of-bounds access
Fix use-after-free in the "<a rel="nofollow" href="http://"">http://"</a>; case
Fix double free of uri (later handled by bozo_clean_request())
Fix off-by-one in case user provided '\x80' in the auth string
log the correct port when using https.
fixes PR#59644.
make the default min TLS version 1.1, as it was documented to be.
fixes PR#58878.
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.1 -r1.54.2.2 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.27.6.1 -r1.27.6.2 src/libexec/httpd/auth-bozo.c
cvs rdiff -u -r1.92.2.1 -r1.92.2.2 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.142.2.1 -r1.142.2.2 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.73 -r1.73.2.1 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.22 -r1.22.6.1 src/libexec/httpd/daemon-bozo.c
cvs rdiff -u -r1.15 -r1.15.20.1 src/libexec/httpd/lua-bozo.c
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home