mod_tls

Prossimo Initiative
mod_tls logo

The Story

The Apache httpd server is an incrediby popular HTTP server. Server software like httpd is security critical because its primary job is to handle network requests and perform complex processing. It's a difficult job to perform securely even without having to worry about managing memory.

Unfortunately, Apache httpd is written in C, so manual memory management is a major concern. Like almost every other HTTP server written in C, it has a long history of memory safety vulnerabilities. The Internet is not going to provide the level of security that we need until the most popular HTTP servers are written in memory safe code.

What We've Done

We contracted with Stefan Eissing to write mod_tls, a new TLS module for Apache httpd that is intended to replace the existing mod_ssl some day. The mod_tls module uses the largely memory safe Rustls TLS library instead of OpenSSL, bringing a much greater degree of security to a critical component of httpd.

What's Next

The mod_tls module is ready for wider testing. Give it a shot if you're running httpd! We hope to have it committed as an experimental module in httpd itself soon.

If we can show that mod_tls works well we hope to bring memory safety to additional httpd modules and get them included in official httpd releases.

Links

From our Blog

February 2, 2021

A Memory Safe TLS Module for the Apache HTTP Server

The Apache HTTP Server, httpd, is an important piece of the Internet’s infrastructure. Hundreds of millions of websites use it every day to serve requests. As such, improvements to httpd security have broad impact.

Funders

Google