Yann Ylavic [Tue, 25 Nov 2025 11:39:28 +0000 (11:39 +0000)]
mod_proxy_hcheck: Fix healthcheck disabled due to child restart while updating
When a child gets restarted while the healthcheck watchdog running for a
worker, the healcheck will be disabled for that worker indefinitively because
its ->updated time remains zero. Fix all zero ->updated time at startup.
* mod_proxy_hcheck.c(hc_watchdog_callback):
Have AP_WATCHDOG_STATE_STARTING set the ->updated time of all the workers to
"now" (if zero).
Move up scoped variables common to AP_WATCHDOG_STATE_{STARTING,RUNNING}
loops.
Joe Orton [Fri, 21 Nov 2025 09:38:42 +0000 (09:38 +0000)]
CI: Try to fix ab failures during OpenSSL ech job, set RPATH via LDFLAGS
CI: For OpenSSL branch builds, always build a fresh version of the
OpenSSL branch and cache the commit hash to allow checking for freshness.
Also clone with --depth=1 to save time+bandwidth.
Stefan Eissing [Thu, 20 Nov 2025 12:52:24 +0000 (12:52 +0000)]
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
- Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
Joe Orton [Fri, 7 Nov 2025 12:57:48 +0000 (12:57 +0000)]
mod_dav, mod_dav_fs: Add opt-in support for controlling resource
modification times via the X-Oc-Mtime header in the PUT and MKCOL
method implementations.
* modules/dav/fs/mod_dav.h: Extend dav_hooks_repository struct
with set_mtime function pointer.
* modules/dav/fs/repos.c (dav_fs_set_mtime): New function.
* modules/dav/main/mod_dav.c (dav_cmd_davhonormtimeheader,
dav_parse_mtime): New functions.
(dav_method_put, dav_method_mkcol): Add X-Oc-Mtime handling.
(dav_cmds): Add DAVHonorMtimeHeader directive.
Submitted by: Leo <i hardrain980.com>
Github: closes #556
Joe Orton [Thu, 23 Oct 2025 11:51:28 +0000 (11:51 +0000)]
mod_ssl: Add SSLVHostSNIPolicy directive to set the compatibility
level required for VirtualHost matching.
For "secure" and "authonly" modes, a hash of the policy-relevant vhost
configuration is created and stored in the post_config hooks, reducing
the runtime code complexity (and overhead).
* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
function, replacing ssl_server_compatible et al.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
function.
* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
New functions.
(ssl_init_Module): Invoke create_sni_policy_hash to store the hash
for every SSLSrvConfigRec.
Ruediger Pluem [Thu, 2 Oct 2025 13:00:44 +0000 (13:00 +0000)]
Correctly parse Range headers with multiple ranges
Correctly parse Range headers with multiple ranges that have
whitespaces around the comma separating the ranges from each other by
trimming the whitespace.
Joe Orton [Wed, 1 Oct 2025 08:23:55 +0000 (08:23 +0000)]
* modules/ssl/ssl_private.h (SSLModConfigRec): Make szCryptoDevice
conditional on ENGINE API support.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCryptoDevice): Log a
warning if the directive is used in a non-ENGINE OpenSSL build;
only touch szCryptoDevice for with-ENGINE builds.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Only
use szCryptoDevice for with-ENGINE builds.
Joe Orton [Fri, 12 Sep 2025 08:05:11 +0000 (08:05 +0000)]
mod_ssl: Add support for Encrypted Client Hello (ECH) based off
proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Perform OCSP requests via HTTP/1.1 instead of HTTP/1.0
According to https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
Digicert stops supporting HTTP/1.0 for their OCSP responder, but still supports
HTTP/1.1. Hence switch to HTTP/1.1 to keep things working.
It is assumed that other OCSP responders support HTTP/1.1 as well.
Ruediger Pluem [Tue, 19 Aug 2025 12:45:15 +0000 (12:45 +0000)]
Make the value set for the socket option TCP_DEFER_ACCEPT configurable
* include/ap_listen.h:
- Add prototype for include/ap_listen.heraccept
- Wire in new directive ListenTCPDeferAccept
* include/mpm_common.h:
Define the previous static value as default value via DEFAULT_TCP_DEFER_ACCEPT
* server/listen.c:
- Add static int ap_listentcpdeferaccept
- ap_apply_accept_filter: Use value of ap_listenbacklog for setting TCP_DEFER_ACCEPT
- ap_listen_pre_config: Set default value
- Add ap_set_listentcpdeferaccept
Ruediger Pluem [Tue, 19 Aug 2025 12:12:41 +0000 (12:12 +0000)]
Remove condition which is always false
If sslconn->non_ssl_request is set to either NON_SSL_SEND_REQLINE or
NON_SSL_SEND_HDR_SEP we cannot close the connection here.
We handle NON_SSL_SEND_REQLINE and NON_SSL_SEND_HDR_SEP
later again in the input filter and in ssl_hook_ReadReq
to return an appropriate error message to the client.
Stefan Eissing [Fri, 15 Aug 2025 11:23:29 +0000 (11:23 +0000)]
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
Stefan Eissing [Thu, 14 Aug 2025 07:53:10 +0000 (07:53 +0000)]
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
Stefan Eissing [Tue, 15 Jul 2025 06:35:04 +0000 (06:35 +0000)]
* mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
PR69741 [Benjamin P. Kallus]
Joe Orton [Wed, 25 Jun 2025 12:53:18 +0000 (12:53 +0000)]
* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
handling inside mod_ssl where OpenSSL is built to handle that
internally in libssl.
projects / thirdparty / apache / httpd.git / log
