Bug Fixes and CMake Builds

This is a patch release that also adds improvements to the build and test process. A more complete list of changes is below. This is a pre-release version and should not be deployed in production without first understanding the current list of known issues.

This release maintains binary compatibility with the previous release (tag 0.1.1); however, this being a zero-dot version, the current ABI is not guaranteed to remain stable for future releases.

Major Bug Fixes

• Extremely fragmented messages no longer cause poor performance and possible DoS conditions (#16). Thanks Paul Spangler!

Minor Bug Fixes

• The MaxMessageSize directive has been renamed to WebSocketMaxMessageSize, to properly namespace it with the other module directives (#25). The prior spelling is deprecated and will be removed in the next compatibility-breaking release.
• It is no longer possible to specify a WebSocketMaxMessageSize greater than APR_SIZE_MAX.

Developer Changes

• CMake builds are now supported on *nix systems. Thanks @toniotelli!
• pip requirements for testing have been corrected.
• There are several improvements to the test infrastructure, for developer sanity.

Other Important Changes

I am no longer testing against httpd 2.2: it's been out of support for more than two years. However, I will not intentionally remove or break code that was designed to function with httpd 2.2 until the first compatibility-breaking release.

Major Known Issues

Do not deploy mod_websocket in production without first understanding the following issues and deploying appropriate countermeasures:

• A large number of simultaneous connections can DoS the server: #17

Tested Platforms

The following httpd/platform combinations have been tested:

• httpd 2.4.29 (official package: 64-bit, mpm_event) on Ubuntu 18.04 with gcc 7.5.0
• httpd 2.4.43 (64-bit, mpm_event) on Ubuntu 18.04 with gcc 7.5.0
• httpd 2.4.43 (64-bit, mpm_winnt) on Windows 10 with VS2019/UCRT

Bug Fixes and Test Improvements

This is a patch release that also adds improvements to the build and test process. A more complete list of changes is below. This is a pre-release version and should not be deployed in production without first understanding the current list of known issues.

This release maintains binary compatibility with the previous release (tag 0.1.0); however, this being a zero-dot version, the current ABI is not guaranteed to remain stable for future releases.

Major Bug Fixes

• mod_reqtimeout no longer prematurely closes idle connections: #4
• The MaxMessageSize directive now correctly applies to full messages instead of fragments: #20

Developer Changes

• GNU Autoconf is now in use; developers may generate a configure script to adapt the build to their system.
• A standalone test server is now launched during the make check test suite. Developers no longer have to modify their httpd installation to test mod_websocket functionality.
• mod_websocket now passes the Autobahn|TestSuite: #1
• Upstream pip dependencies on Autobahn|TestSuite have been fixed: #23

Major Known Issues

Do not deploy mod_websocket in production without first understanding the following issues and deploying appropriate countermeasures:

• A large number of simultaneous connections can DoS the server: #17
• Extremely fragmented messages cause poor performance and possible DoS conditions: #16

Tested Platforms

The following httpd/platform combinations have been tested:

• httpd 2.2.22 (official package: 32-bit, mpm_worker) on Ubuntu 12.04 with gcc 4.6.3
• httpd 2.4.7 (official package: 64-bit, mpm_event) on Ubuntu 14.04 with gcc 4.8.4
• httpd 2.4.18 (64-bit, mpm_event) on Ubuntu 14.04 with gcc 4.8.4
• httpd 2.4.17 (64-bit, mpm_winnt) on Windows 7 with MSVC14

Strict Handshake Validation

The primary goal of this release is to strictly validate incoming handshakes according to the WebSocket specification, and reject those that are malformed. A more complete list of changes is below. This is a pre-release version and should not be deployed in production without first understanding the current list of known issues.

This release maintains binary compatibility with upstream (tag 0.0.0); however, this being a zero-dot version, the current ABI is not guaranteed to remain stable for future releases.

Functional Changes

• Clients' opening handshakes are now strictly validated, and invalid handshakes are refused:
  • HEAD requests are no longer upgraded
  • Nasty Sec-WebSocket-Version values like 13abcd and +13 are now rejected
  • Clients who try unsupported protocol versions now correctly receive an indication of which versions are supported
  • The Sec-WebSocket-Key is checked for correct format and length
  • Malformed Sec-WebSocket-Protocol headers are rejected
  • "Upgrades" from HTTP/1.0 clients are now correctly ignored
• Added cross-origin checks for security:
  • Cross-origin connections are now rejected by default
  • Added a WebSocketOriginCheck directive to allow the use of an origin whitelist or disable origin checks entirely
• Improved the handling of Close frames:
  • Invalid Close frames (bad codes, non-UTF-8 payloads) are now rejected
  • Added a WebSocketAllowReservedStatusCodes directive to allow the use of close codes that are reserved by the RFC
• WebSocket subprotocols are no longer chosen for a plugin by default

Major Bug Fixes

• The threading model has been rearchitected to fix crashes for wss:// connections with mod_ssl

Developer Changes

• Added a Python-based test harness, which includes the Autobahn|TestSuite
• Added ap_log_* calls to assist with server administration and module debugging
• Added (experimental) CMake support for Windows builds
• Removed support for WebSocket draft-76

Major Known Issues

Do not deploy mod_websocket in production without first understanding the following issues and deploying appropriate countermeasures:

• A large number of simultaneous connections can DoS the server: #17
• mod_reqtimeout prematurely closes idle connections: #4
• Extremely fragmented messages cause poor performance and possible DoS conditions: #16

Tested Platforms

The following httpd/platform combinations have been tested:

• httpd 2.2.22 (32-bit, mpm_worker) on Ubuntu 12.04 with gcc 4.6.3
• httpd 2.4.17 (64-bit, mpm_event) on Ubuntu 14.04 with gcc 4.8.4
• httpd 2.4.17 (64-bit, mpm_winnt) on Windows 7 with MSVC14

Upstream (pre-fork)

The 0.0 release is frozen at the last commit before this repository was forked. It is the last version authored by @disconnect.