Joe Orton [Thu, 23 Oct 2025 11:51:28 +0000 (11:51 +0000)]
mod_ssl: Add SSLVHostSNIPolicy directive to set the compatibility
level required for VirtualHost matching.
For "secure" and "authonly" modes, a hash of the policy-relevant vhost
configuration is created and stored in the post_config hooks, reducing
the runtime code complexity (and overhead).
* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
function, replacing ssl_server_compatible et al.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
function.
* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
New functions.
(ssl_init_Module): Invoke create_sni_policy_hash to store the hash
for every SSLSrvConfigRec.
Ruediger Pluem [Thu, 2 Oct 2025 13:00:44 +0000 (13:00 +0000)]
Correctly parse Range headers with multiple ranges
Correctly parse Range headers with multiple ranges that have
whitespaces around the comma separating the ranges from each other by
trimming the whitespace.
Joe Orton [Wed, 1 Oct 2025 08:23:55 +0000 (08:23 +0000)]
* modules/ssl/ssl_private.h (SSLModConfigRec): Make szCryptoDevice
conditional on ENGINE API support.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCryptoDevice): Log a
warning if the directive is used in a non-ENGINE OpenSSL build;
only touch szCryptoDevice for with-ENGINE builds.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Only
use szCryptoDevice for with-ENGINE builds.
Joe Orton [Fri, 12 Sep 2025 08:05:11 +0000 (08:05 +0000)]
mod_ssl: Add support for Encrypted Client Hello (ECH) based off
proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Perform OCSP requests via HTTP/1.1 instead of HTTP/1.0
According to https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426
Digicert stops supporting HTTP/1.0 for their OCSP responder, but still supports
HTTP/1.1. Hence switch to HTTP/1.1 to keep things working.
It is assumed that other OCSP responders support HTTP/1.1 as well.
Ruediger Pluem [Tue, 19 Aug 2025 12:45:15 +0000 (12:45 +0000)]
Make the value set for the socket option TCP_DEFER_ACCEPT configurable
* include/ap_listen.h:
- Add prototype for include/ap_listen.heraccept
- Wire in new directive ListenTCPDeferAccept
* include/mpm_common.h:
Define the previous static value as default value via DEFAULT_TCP_DEFER_ACCEPT
* server/listen.c:
- Add static int ap_listentcpdeferaccept
- ap_apply_accept_filter: Use value of ap_listenbacklog for setting TCP_DEFER_ACCEPT
- ap_listen_pre_config: Set default value
- Add ap_set_listentcpdeferaccept
Ruediger Pluem [Tue, 19 Aug 2025 12:12:41 +0000 (12:12 +0000)]
Remove condition which is always false
If sslconn->non_ssl_request is set to either NON_SSL_SEND_REQLINE or
NON_SSL_SEND_HDR_SEP we cannot close the connection here.
We handle NON_SSL_SEND_REQLINE and NON_SSL_SEND_HDR_SEP
later again in the input filter and in ssl_hook_ReadReq
to return an appropriate error message to the client.
Stefan Eissing [Fri, 15 Aug 2025 11:23:29 +0000 (11:23 +0000)]
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
Stefan Eissing [Thu, 14 Aug 2025 07:53:10 +0000 (07:53 +0000)]
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
Stefan Eissing [Tue, 15 Jul 2025 06:35:04 +0000 (06:35 +0000)]
* mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
PR69741 [Benjamin P. Kallus]
Joe Orton [Wed, 25 Jun 2025 12:53:18 +0000 (12:53 +0000)]
* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
handling inside mod_ssl where OpenSSL is built to handle that
internally in libssl.
Joe Orton [Wed, 25 Jun 2025 07:55:26 +0000 (07:55 +0000)]
mod_ssl: Accept expired client certs with optional_no_ca mode.
* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
permitted for "optional_no_ca" mode.
In set_cookie_name() and set_cookie_name2(), now that the empty 'name' argument is explicitly handled, the error message in check_string() can be simplified because the cookie name can't be empty anymore when this function is called.
Joe Orton [Fri, 6 Jun 2025 10:36:00 +0000 (10:36 +0000)]
* modules/dav/fs/repos.c (dav_fs_remove_resource):
Return a 404 if apr_file_remove() fails with an ENOENT error,
likely due to a race with another DELETE.
Ruediger Pluem [Tue, 3 Jun 2025 15:12:14 +0000 (15:12 +0000)]
Ensure that ALL fields of the ap_listen_rec structure are initialized
alloc_listener initializes more fields in the created ap_listen_rec structure
than alloc_systemd_listener as it has more data to add to this structure.
Ensure that all fields of the ap_listen_rec structure are initialized at
least with 0 as later code using this structure depends on this.
Stefan Eissing [Fri, 30 May 2025 12:45:59 +0000 (12:45 +0000)]
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
Yann Ylavic [Thu, 22 May 2025 14:38:41 +0000 (14:38 +0000)]
mod_proxy: restore reuse of ProxyRemote connections when possible.
Fixes a regression from 2.4.59 (r1913907).
For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.
* modules/proxy/proxy_util.c:
Rename the struct to remote_connect_info since it's only used for
connecting through remote CONNECT proxies. Axe the use_http_connect
field, always true.
* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
Remote CONNECT (forward) proxy connections can be reused if the auth
and origin server infos are the same, so conn->forward != NULL is not
a condition to prevent reusability.
* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
Fix the checks around conn->forward reuse and connection cleanup if
that's not possible.
projects / thirdparty / apache / httpd.git / log
