Joe Orton [Mon, 19 Jan 2026 12:43:36 +0000 (12:43 +0000)]
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert): Use
ASN1_TIME_diff() if available to avoid parsing the ASN1_TIME.
Temporarily disable the new ASN1_TIME_diff() code for the
feature/ech branch build since that branch has a regression, once
https://github.com/openssl/openssl/commit/9fb44b527ee3717795609fb876a7a81f8898c623
is merged this workaround should be reverted.
Joe Orton [Tue, 6 Jan 2026 11:02:20 +0000 (11:02 +0000)]
mod_dav: Fix security issue in unreleased MS-WDV support:
* modules/dav/main/ms_wdv.c (mswdv_combined_proppatch):
The MS-WDV combined PROPPATCH handler reads a 16-byte hex length
prefix from the request body and uses it directly for memory
allocation without bounds checking. An attacker can specify an
extremely large value to trigger OOM and crash the worker process.
This patch validates the parsed length against LimitXMLRequestBody
and APR_SIZE_MAX before allocation.
Reported by: Pavel Kohout, Aisle Research, www.aisle.com
Submitted by: Pavel Kohout, jorton
Github: closes #592
Joe Orton [Thu, 18 Dec 2025 12:50:42 +0000 (12:50 +0000)]
mod_md: change types of fields of ocsp_summary_ctx_t
The number of members in ostat_by_id may be up to UINT_MAX
and there are no guarantees that all types of members (good,
revoked or unknown) are present. An integer overflow may also
occur in md_ocsp_get_summary() when they are summed as ints.
Change types of good, revoked and unknown to unsigned.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Joe Orton [Tue, 16 Dec 2025 16:05:10 +0000 (16:05 +0000)]
mod_file_cache: Fix crashes for mmap'ed files under threaded MPM.
* modules/cache/mod_file_cache.c (mmap_handler): fix file getting
unmapped erroneously when server is under load in multi-thread
multi-core configuration
Yann Ylavic [Tue, 25 Nov 2025 11:39:28 +0000 (11:39 +0000)]
mod_proxy_hcheck: Fix healthcheck disabled due to child restart while updating
When a child gets restarted while the healthcheck watchdog running for a
worker, the healcheck will be disabled for that worker indefinitively because
its ->updated time remains zero. Fix all zero ->updated time at startup.
* mod_proxy_hcheck.c(hc_watchdog_callback):
Have AP_WATCHDOG_STATE_STARTING set the ->updated time of all the workers to
"now" (if zero).
Move up scoped variables common to AP_WATCHDOG_STATE_{STARTING,RUNNING}
loops.
Joe Orton [Fri, 21 Nov 2025 09:38:42 +0000 (09:38 +0000)]
CI: Try to fix ab failures during OpenSSL ech job, set RPATH via LDFLAGS
CI: For OpenSSL branch builds, always build a fresh version of the
OpenSSL branch and cache the commit hash to allow checking for freshness.
Also clone with --depth=1 to save time+bandwidth.
Stefan Eissing [Thu, 20 Nov 2025 12:52:24 +0000 (12:52 +0000)]
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
- Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
Joe Orton [Fri, 7 Nov 2025 12:57:48 +0000 (12:57 +0000)]
mod_dav, mod_dav_fs: Add opt-in support for controlling resource
modification times via the X-Oc-Mtime header in the PUT and MKCOL
method implementations.
* modules/dav/fs/mod_dav.h: Extend dav_hooks_repository struct
with set_mtime function pointer.
* modules/dav/fs/repos.c (dav_fs_set_mtime): New function.
* modules/dav/main/mod_dav.c (dav_cmd_davhonormtimeheader,
dav_parse_mtime): New functions.
(dav_method_put, dav_method_mkcol): Add X-Oc-Mtime handling.
(dav_cmds): Add DAVHonorMtimeHeader directive.
Submitted by: Leo <i hardrain980.com>
Github: closes #556
Joe Orton [Thu, 23 Oct 2025 11:51:28 +0000 (11:51 +0000)]
mod_ssl: Add SSLVHostSNIPolicy directive to set the compatibility
level required for VirtualHost matching.
For "secure" and "authonly" modes, a hash of the policy-relevant vhost
configuration is created and stored in the post_config hooks, reducing
the runtime code complexity (and overhead).
* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
function, replacing ssl_server_compatible et al.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
function.
* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
New functions.
(ssl_init_Module): Invoke create_sni_policy_hash to store the hash
for every SSLSrvConfigRec.
Ruediger Pluem [Thu, 2 Oct 2025 13:00:44 +0000 (13:00 +0000)]
Correctly parse Range headers with multiple ranges
Correctly parse Range headers with multiple ranges that have
whitespaces around the comma separating the ranges from each other by
trimming the whitespace.
Joe Orton [Wed, 1 Oct 2025 08:23:55 +0000 (08:23 +0000)]
* modules/ssl/ssl_private.h (SSLModConfigRec): Make szCryptoDevice
conditional on ENGINE API support.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCryptoDevice): Log a
warning if the directive is used in a non-ENGINE OpenSSL build;
only touch szCryptoDevice for with-ENGINE builds.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Only
use szCryptoDevice for with-ENGINE builds.
Joe Orton [Fri, 12 Sep 2025 08:05:11 +0000 (08:05 +0000)]
mod_ssl: Add support for Encrypted Client Hello (ECH) based off
proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Perform OCSP requests via HTTP/1.1 instead of HTTP/1.0
According to https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
Digicert stops supporting HTTP/1.0 for their OCSP responder, but still supports
HTTP/1.1. Hence switch to HTTP/1.1 to keep things working.
It is assumed that other OCSP responders support HTTP/1.1 as well.
Ruediger Pluem [Tue, 19 Aug 2025 12:45:15 +0000 (12:45 +0000)]
Make the value set for the socket option TCP_DEFER_ACCEPT configurable
* include/ap_listen.h:
- Add prototype for include/ap_listen.heraccept
- Wire in new directive ListenTCPDeferAccept
* include/mpm_common.h:
Define the previous static value as default value via DEFAULT_TCP_DEFER_ACCEPT
* server/listen.c:
- Add static int ap_listentcpdeferaccept
- ap_apply_accept_filter: Use value of ap_listenbacklog for setting TCP_DEFER_ACCEPT
- ap_listen_pre_config: Set default value
- Add ap_set_listentcpdeferaccept
Ruediger Pluem [Tue, 19 Aug 2025 12:12:41 +0000 (12:12 +0000)]
Remove condition which is always false
If sslconn->non_ssl_request is set to either NON_SSL_SEND_REQLINE or
NON_SSL_SEND_HDR_SEP we cannot close the connection here.
We handle NON_SSL_SEND_REQLINE and NON_SSL_SEND_HDR_SEP
later again in the input filter and in ssl_hook_ReadReq
to return an appropriate error message to the client.
projects / thirdparty / apache / httpd.git / log
