Hi!

Starting with OpenBSD 7.8, httpd(8) uses a date format for headers
(e.g., Last-Modified) that is incompatible with RFC 7231. The RFC 7231
ABNF grammar rule for IMF-fixdate, which is supposed to be emitted by
httpd's server_http_time() function looks as follows [1]:

	IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT

Hence, the time zone MUST be GMT. However, starting with OpenBSD 7.8
Last-Modified headers emitted by httpd instead look as follows:

	Last-Modified: Sat, 20 Dec 2025 20:34:14 UTC

Consequently, this is not compatible with RFC 7231 and rejected by
conforming clients. The cause here is a change committed by phessler@
that modified the value of the gmt constant in libc's localtime.c [2].

An easy solution is to not use the %Z format within server_http_time()
in the strftime(3) format string and just hardcode GMT instead.
Considering that this breaks conforming HTTP clients, I would appreciate
it if this patch would also be considered for a backport to -stable.

Cheers,
Sören

diff --git usr.sbin/httpd/server_http.c usr.sbin/httpd/server_http.c
index f6412e80bf7..bcea49a6954 100644
--- usr.sbin/httpd/server_http.c
+++ usr.sbin/httpd/server_http.c
@@ -796,7 +796,7 @@ server_http_time(time_t t, char *tmbuf, size_t len)
 	if (t == -1 || gmtime_r(&t, &tm) == NULL)
 		return (-1);
 	else
-		return (strftime(tmbuf, len, "%a, %d %h %Y %T %Z", &tm));
+		return (strftime(tmbuf, len, "%a, %d %h %Y %T GMT", &tm));
 }
 
 const char *

[1]: https://datatracker.ietf.org/doc/html/rfc7231#appendix-D
[2]: https://github.com/openbsd/src/commit/4282d69da8896f476db477e0b83a24fb8d13f177