proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Submitted by: sftcd <stephen.farrell cs.tcd.ie>, rpluem
Github: closes#551
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1928357 13f79535-47bb-0310-9956-ffa450edef68
If sslconn->non_ssl_request is set to either NON_SSL_SEND_REQLINE or
NON_SSL_SEND_HDR_SEP we cannot close the connection here.
We handle NON_SSL_SEND_REQLINE and NON_SSL_SEND_HDR_SEP
later again in the input filter and in ssl_hook_ReadReq
to return an appropriate error message to the client.
PR: 69773
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927880 13f79535-47bb-0310-9956-ffa450edef68
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927807 13f79535-47bb-0310-9956-ffa450edef68
Do not test euid=0 before going chroot
Nowaday chroot need CAP_SYS_CHROOT capability in its user namespace, and could
work without root.
Will allow to use chroot with lesser permission.
Submitted by: Bastien Roucariès <rouca debian.org>
PR: 69767
Github: closes#549
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927804 13f79535-47bb-0310-9956-ffa450edef68
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927792 13f79535-47bb-0310-9956-ffa450edef68
format (TOML) including MMN information.
* modules/core/mod_so.c (print_mod_data): New function.
(dump_loaded_modules): Use it if DUMP_MODULE_DATA is defined.
* docs/manual/programs/httpd.xml: Move -DDUMP_* docs to a new
section, cover the above new option.
Github: closes#537
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926737 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
permitted for "optional_no_ca" mode.
Submitted by: Naveen Albert <apache2 phreaknet.org>
PR: 60028
Github: closes#509
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926714 13f79535-47bb-0310-9956-ffa450edef68
In set_cookie_name() and set_cookie_name2(), now that the empty 'name' argument is explicitly handled, the error message in check_string() can be simplified because the cookie name can't be empty anymore when this function is called.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926188 13f79535-47bb-0310-9956-ffa450edef68
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes#377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925979 13f79535-47bb-0310-9956-ffa450edef68
Fixes a regression from 2.4.59 (r1913907).
For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.
* modules/proxy/proxy_util.c:
Rename the struct to remote_connect_info since it's only used for
connecting through remote CONNECT proxies. Axe the use_http_connect
field, always true.
* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
Remote CONNECT (forward) proxy connections can be reused if the auth
and origin server infos are the same, so conn->forward != NULL is not
a condition to prevent reusability.
* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
Fix the checks around conn->forward reuse and connection cleanup if
that's not possible.
Submitted by: jfclere, ylavic
GH: closes#531
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925743 13f79535-47bb-0310-9956-ffa450edef68
Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".
With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".
Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes#523
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68
Change the log level from ERROR to DEBUG.
The message \"mod_asis: ap_pass_brigade failed for file ...\" was logged with
the level ERROR. This log level is inappropriate here, because a client can
trigger this log message by aborting the request.
Most other modules don't log at all or use the log level DEBUG when
ap_pass_brigade() fails.
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes#527
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924954 13f79535-47bb-0310-9956-ffa450edef68
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924145 13f79535-47bb-0310-9956-ffa450edef68
dav_fs_dir_file_name() will not set *fname_p to NULL on failure,
and all callers of dav_fs_dir_file_name() does not check the
return value of dav_fs_dir_file_name(), which could lead to an
undefined behavior against fname_p.
Fix this by adding return value check of dav_fs_dir_file_name()
Submitted by: Zhou Qingyang <zhou1615 umn.edu>
Github: closes#309
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923813 13f79535-47bb-0310-9956-ffa450edef68
older and newer curl versions. Only a change in logging,
no function module change.
Newer curl send a GOAWAY on connection shutdown which
triggers another code path that the test did not expect.
Thanks to Rainer Jung for tracking this down.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923187 13f79535-47bb-0310-9956-ffa450edef68
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923148 13f79535-47bb-0310-9956-ffa450edef68
