proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Submitted by: sftcd <stephen.farrell cs.tcd.ie>, rpluem
Github: closes#551
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1928357 13f79535-47bb-0310-9956-ffa450edef68
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927807 13f79535-47bb-0310-9956-ffa450edef68
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927792 13f79535-47bb-0310-9956-ffa450edef68
format (TOML) including MMN information.
* modules/core/mod_so.c (print_mod_data): New function.
(dump_loaded_modules): Use it if DUMP_MODULE_DATA is defined.
* docs/manual/programs/httpd.xml: Move -DDUMP_* docs to a new
section, cover the above new option.
Github: closes#537
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926737 13f79535-47bb-0310-9956-ffa450edef68
