Subject: CVS commit: pkgsrc/www/lighttpd
From: Amitai Schleier
Date: 2020-11-30 11:28:33
Message id: 20201130102833.C7BA3FA9D@cvs.NetBSD.org

Log Message:
Update to 1.4.56. From the changelog:

# Highlights

- HTTP/2 support
  - must be enabled in lighttpd.conf in lighttpd 1.4.56;
    may be enabled by default in a future release
  - `server.feature-flags += ("server.h2proto" => \ 
"enable", "server.h2c" => "enable")`
- TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
  - mod_openssl (existing)
  - mod_mbedtls (experimental)
  - mod_wolfssl (experimental)
  - mod_gnutls (experimental)
  - mod_nss (experimental)
- TLS OCSP stapling
  (except mbedTLS; not currently supported by mbedTLS)
- TLS session ticket key rotation control
  (except NSS; API limitation in NSS)
- mod_deflate brotli support
- mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)
- RFC 8297 support for 103 Early Hints produced by backends (scripts)
- graceful restart option to transfer listen fds (minimal pause)
  - `server.systemd-socket-activation = "enable"`
  - `server.feature-flags += ("server.graceful-restart-bg" => \ 
"enable", "server.graceful-shutdown-timeout" => \ 
"15")`

# Behavior Changes

- mod_openssl
  - default MinProtocol TLSv1.2
    TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.
    \ 
<https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html>
    If prior behavior is required, configure:
    `ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")`
    If using openssl <= 1.0.2 (end-of-life)
    `ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1, \ 
TLSv1.1, TLSv1.2")`
  - (internal) TLS session cache is disabled by default,
    replaced by lighttpd robust TLSv1.2 session ticket support
    If backward compatibility is needed:
    `server.feature-flags += ("ssl.session-cache" => \ 
"enable")`
  - (internal) openssl creates a session ticket encryption key per SSL_CTX.
    lighttpd 1.4.56 and later assigns a single session ticket encryption key
    for the lighttpd server (across all SSL_CTX) for consistency.
  - behavior change with ssl.ca-dn-file (uncommon); applies to client
    certificate verification and ssl.ca-dn-file (uncommon)
    If client certificate verification is enabled
    (ssl.verifyclient.activate = "enable"),
    all CAs used for client certificate verification must be present in
    ssl.ca-file. This is the typical use case when client certificate
    verification is enabled. Certificates in (optional) ssl.ca-dn-file
    are used to send issuer names to client when the server sends a
    client certificate request. These names are use by the client
    during certificate selection, and the server requires that the
    certificate sent by the client be issued by one of the subjects
    in ssl.ca-dn-file.
    (Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.
    New behavior requires all trusted CAs be listed in ssl.ca-file,
    and a subset be duplicated into ssl.ca-dn-file to specify allowed
    client cert issuer.)
- mod_deflate: support for bzip2 is now disabled by default in the build
  - (enable using `./configure --with-bzip2`)
    bzip2 Content-Encoding is not widely supported
    Prefer to build `--with-brotli`
    brotli Content-Encoding is more widely supported than bzip2

# Future Scheduled Behavior Changes

- HTTP/2 support will be enabled by default in a future release
- graceful restart/shutdown default timeout will change from
  0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
  configure an alternative with:
  `server.feature-flags += ("server.graceful-shutdown-timeout" => 5)`
- mod_compress is DEPRECATED; use mod_deflate
  mod_compress has been subsumed by mod_deflate
  Note: mod_compress config options may be removed in a future release
- mod_geoip is DEPRECATED; use mod_maxminddb
  Note: mod_geoip will be removed from a future lighttpd release
- mod_authn_mysql is DEPRECATED; use mod_authn_dbi
  Note: mod_authn_mysql will be removed from a future lighttpd release
- mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
  Note: mod_mysql_vhost will be removed from a future lighttpd release
- mod_cml is DEPRECATED; use mod_magnet
  Note: mod_cml will be removed from a future lighttpd release

Files:
RevisionActionfile
1.92modifypkgsrc/www/lighttpd/Makefile
1.21modifypkgsrc/www/lighttpd/PLIST
1.57modifypkgsrc/www/lighttpd/distinfo
1.24modifypkgsrc/www/lighttpd/options.mk
1.6modifypkgsrc/www/lighttpd/patches/patch-doc_config_lighttpd.conf
1.3modifypkgsrc/www/lighttpd/patches/patch-doc_lighttpd.8
1.1removepkgsrc/www/lighttpd/patches/patch-src_mod__webdav.c