Strict Handshake Validation
Pre-release
Pre-release
The primary goal of this release is to strictly validate incoming handshakes according to the WebSocket specification, and reject those that are malformed. A more complete list of changes is below. This is a pre-release version and should not be deployed in production without first understanding the current list of known issues.
This release maintains binary compatibility with upstream (tag 0.0.0
); however, this being a zero-dot version, the current ABI is not guaranteed to remain stable for future releases.
Functional Changes
- Clients' opening handshakes are now strictly validated, and invalid handshakes are refused:
HEAD
requests are no longer upgraded- Nasty
Sec-WebSocket-Version
values like13abcd
and+13
are now rejected - Clients who try unsupported protocol versions now correctly receive an indication of which versions are supported
- The
Sec-WebSocket-Key
is checked for correct format and length - Malformed
Sec-WebSocket-Protocol
headers are rejected - "Upgrades" from HTTP/1.0 clients are now correctly ignored
- Added cross-origin checks for security:
- Cross-origin connections are now rejected by default
- Added a
WebSocketOriginCheck
directive to allow the use of an origin whitelist or disable origin checks entirely
- Improved the handling of Close frames:
- Invalid Close frames (bad codes, non-UTF-8 payloads) are now rejected
- Added a
WebSocketAllowReservedStatusCodes
directive to allow the use of close codes that are reserved by the RFC
- WebSocket subprotocols are no longer chosen for a plugin by default
Major Bug Fixes
- The threading model has been rearchitected to fix crashes for
wss://
connections with mod_ssl
Developer Changes
- Added a Python-based test harness, which includes the Autobahn|TestSuite
- Added
ap_log_*
calls to assist with server administration and module debugging - Added (experimental) CMake support for Windows builds
- Removed support for WebSocket draft-76
Major Known Issues
Do not deploy mod_websocket in production without first understanding the following issues and deploying appropriate countermeasures:
- A large number of simultaneous connections can DoS the server: #17
- mod_reqtimeout prematurely closes idle connections: #4
- Extremely fragmented messages cause poor performance and possible DoS conditions: #16
Tested Platforms
The following httpd/platform combinations have been tested:
- httpd 2.2.22 (32-bit, mpm_worker) on Ubuntu 12.04 with gcc 4.6.3
- httpd 2.4.17 (64-bit, mpm_event) on Ubuntu 14.04 with gcc 4.8.4
- httpd 2.4.17 (64-bit, mpm_winnt) on Windows 7 with MSVC14