proposed OpenSSL 4.0 API. Notes from PR #551:
This build only supports ECH "shared-mode" where mod_ssl does the ECH
decryption and also hosts both the ECH `public-name` and `backend` web
sites.
## Build
> [!NOTE]
> ECH is not yet a part of an OpenSSL release, our current goal is that ECH be
> part of an OpenSSL 4.0 release in spring 2026.
There is client and server ECH code in the OpenSSL ECH feature branch at
[https://github.com/openssl/openssl/tree/feature/ech](https://github.com/openssl/openssl/tree/feature/ech).
At present, ECH-enabling apache2 therefore requires building from source, using
the OpenSSL ECH feature branch.
## Code changes
- All code changes are within `modules/ssl` and are protected via `#ifdef
HAVE_OPENSSL_ECH`. That's defined in `ssl_private.h` if the included
`ssl.h` defines `SSL_OP_ECH_GREASE`.
- There're a bunch of changes to add the new `SSLECHKeyDir` directive that
are mosly obvious.
- We load the keys from `SSLECHKeyDir` using the `load_echkeys()` function in
`ssl_engine_init.c`. That also ECH-enables the `SSL_CTX` when keys are
loaded, which triggers ECH decryption as needed.
> [!NOTE]
> `load_echkeys()` will include the public component all loaded keys in the ECH
> `retry-configs` in the fallback scenario. If desired, we could add a naming
> convention or additional configuration setting to distinguish which to
> include in `retry-configs` or not. For now, we assume that'd better be done
> in a subsequent PR, if experience shows the feature is really useful/needed.
> (We can envisage some odd deployments where that might be the case, but not
> clear those'd really happen - it'd seem to need loads of key pairs or else
> some that are never published in the DNS that we don't want to expose to
> random clients - neither seems compelling.)
- We add a callback to `SSL_CTX_ech_set_callback` also in `ssl_engine_init.c`.
- We add calls to set the `SSL_ECH_STATUS` etc. variables to the environment
(for PHP etc) in `ssl_engine_kernel.c` and also do the logging of ECH outcomes
(to the error log).
Submitted by: sftcd <stephen.farrell cs.tcd.ie>, rpluem
Github: closes#551
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1928357 13f79535-47bb-0310-9956-ffa450edef68
and more robust fix for the issues with Perl XS builds being cached.
Root cause was likely "ubuntu-latest" changing from 22.04 to 24.04.
Cache keys will now change when that happens again, preventing reuse
of cached builds across OS versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921311 13f79535-47bb-0310-9956-ffa450edef68
CI: Update to latest OpenSSL releases.
CI: Build OpenSSL with RPATH set so that the installed ./bin/openssl works
without LD_LIBRARY_PATH set.
Use LD_RUN_PATH during the httpd build to achieve the same with binaries
from the httpd build, but unset it after so that it doesn't affect running
e.g. php-fpm or perl later. Should fix warning from logs when php-fpm
is executed --
[26-Jul-2024 07:43:34] NOTICE: PHP message: PHP Warning: PHP Startup: Unable to load dynamic library 'curl.so' (tried: /usr/lib/php/20210902/curl.so (/lib/x86_64-linux-gnu/libcurl.so.4: undefined symbol: ENGINE_init, version OPENSSL_3.0.0), /usr/lib/php/20210902/curl.so.so (/usr/lib/php/20210902/curl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
CI: Test that php-fpm works if available before testing.
CI: For paranoia/future debugging, log the OpenSSL version from compile-time
and run-time as reported by mod_ssl.
Github: closes#466
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919524 13f79535-47bb-0310-9956-ffa450edef68
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
* modules/arch/unix/config5.m4: Detect libselinux.
Have at least one CI job build mod_systemd.
Github: closes#422
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916344 13f79535-47bb-0310-9956-ffa450edef68
should now work correctly (since the version is in the cache key).
For 1.x branches, CLEAR_CACHE must still be used. [skip ci]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916053 13f79535-47bb-0310-9956-ffa450edef68
as a unique key for each job in the matrix, using that as the
cache key and in each artefact upload (otherwise multiple failures
uploading "error_log" overwrite each other).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916051 13f79535-47bb-0310-9956-ffa450edef68
- Add --enable-reduced-exports test.
- test running apachectl -V in the TEST_INSTALL case
- test running httpd -V in the SKIP_TESTING case
- rejig to exit if SKIP_TESTING, un-nest the if block around testing
(no functional change from this part)
Github: closes#405
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1915513 13f79535-47bb-0310-9956-ffa450edef68
described in RFC 8441. A new directive 'H2WebSockets on|off' has been
added. The feature is by default not enabled.
As also discussed in the manual, this feature should work for setups
using "ProxyPass backend-url upgrade=websocket" without further changes.
Special server modules for WebSockets will have to be adapted,
most likely, as the handling if IO events is different with HTTP/2.
HTTP/2 WebSockets are supported on platforms with native pipes. This
excludes Windows.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910507 13f79535-47bb-0310-9956-ffa450edef68
