github jchampio/apache-websocket 0.1.0
Strict Handshake Validation
on GitHub

latest releases: 0.1.2, 0.1.1
pre-release8 years ago

The primary goal of this release is to strictly validate incoming handshakes according to the WebSocket specification, and reject those that are malformed. A more complete list of changes is below. This is a pre-release version and should not be deployed in production without first understanding the current list of known issues.

This release maintains binary compatibility with upstream (tag 0.0.0); however, this being a zero-dot version, the current ABI is not guaranteed to remain stable for future releases.

Functional Changes

  • Clients' opening handshakes are now strictly validated, and invalid handshakes are refused:
    • HEAD requests are no longer upgraded
    • Nasty Sec-WebSocket-Version values like 13abcd and +13 are now rejected
    • Clients who try unsupported protocol versions now correctly receive an indication of which versions are supported
    • The Sec-WebSocket-Key is checked for correct format and length
    • Malformed Sec-WebSocket-Protocol headers are rejected
    • "Upgrades" from HTTP/1.0 clients are now correctly ignored
  • Added cross-origin checks for security:
    • Cross-origin connections are now rejected by default
    • Added a WebSocketOriginCheck directive to allow the use of an origin whitelist or disable origin checks entirely
  • Improved the handling of Close frames:
    • Invalid Close frames (bad codes, non-UTF-8 payloads) are now rejected
    • Added a WebSocketAllowReservedStatusCodes directive to allow the use of close codes that are reserved by the RFC
  • WebSocket subprotocols are no longer chosen for a plugin by default

Major Bug Fixes

  • The threading model has been rearchitected to fix crashes for wss:// connections with mod_ssl

Developer Changes

  • Added a Python-based test harness, which includes the Autobahn|TestSuite
  • Added ap_log_* calls to assist with server administration and module debugging
  • Added (experimental) CMake support for Windows builds
  • Removed support for WebSocket draft-76

Major Known Issues

Do not deploy mod_websocket in production without first understanding the following issues and deploying appropriate countermeasures:

  • A large number of simultaneous connections can DoS the server: #17
  • mod_reqtimeout prematurely closes idle connections: #4
  • Extremely fragmented messages cause poor performance and possible DoS conditions: #16

Tested Platforms

The following httpd/platform combinations have been tested:

  • httpd 2.2.22 (32-bit, mpm_worker) on Ubuntu 12.04 with gcc 4.6.3
  • httpd 2.4.17 (64-bit, mpm_event) on Ubuntu 14.04 with gcc 4.8.4
  • httpd 2.4.17 (64-bit, mpm_winnt) on Windows 7 with MSVC14
Check out latest releases or
releases around jchampio/apache-websocket 0.1.0

Don't miss a new apache-websocket release

NewReleases is sending notifications on new releases.

Get notifications