On 2025/12/20 22:36, Sören Tempel wrote:
> Hi!
> 
> Starting with OpenBSD 7.8, httpd(8) uses a date format for headers
> (e.g., Last-Modified) that is incompatible with RFC 7231. The RFC 7231
> ABNF grammar rule for IMF-fixdate, which is supposed to be emitted by
> httpd's server_http_time() function looks as follows [1]:

Also still the case with the current standard

https://datatracker.ietf.org/doc/html/rfc9110#http.date

> 	IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT
> 
> Hence, the time zone MUST be GMT. However, starting with OpenBSD 7.8
> Last-Modified headers emitted by httpd instead look as follows:
> 
> 	Last-Modified: Sat, 20 Dec 2025 20:34:14 UTC
> 
> Consequently, this is not compatible with RFC 7231 and rejected by
> conforming clients. The cause here is a change committed by phessler@
> that modified the value of the gmt constant in libc's localtime.c [2].
> 
> An easy solution is to not use the %Z format within server_http_time()
> in the strftime(3) format string and just hardcode GMT instead.

diff is ok sthen

> Considering that this breaks conforming HTTP clients, I would appreciate
> it if this patch would also be considered for a backport to -stable.
> 
> Cheers,
> Sören
> 
> diff --git usr.sbin/httpd/server_http.c usr.sbin/httpd/server_http.c
> index f6412e80bf7..bcea49a6954 100644
> --- usr.sbin/httpd/server_http.c
> +++ usr.sbin/httpd/server_http.c
> @@ -796,7 +796,7 @@ server_http_time(time_t t, char *tmbuf, size_t len)
>  	if (t == -1 || gmtime_r(&t, &tm) == NULL)
>  		return (-1);
>  	else
> -		return (strftime(tmbuf, len, "%a, %d %h %Y %T %Z", &tm));
> +		return (strftime(tmbuf, len, "%a, %d %h %Y %T GMT", &tm));
>  }
>  
>  const char *
> 
> [1]: https://datatracker.ietf.org/doc/html/rfc7231#appendix-D
> [2]: https://github.com/openbsd/src/commit/4282d69da8896f476db477e0b83a24fb8d13f177
>