From: Stuart Henderson Subject: Re: httpd: Invalid date formats in headers since 7.8 To: Sören Tempel Cc: tech@openbsd.org, phessler@openbsd.org Date: Sat, 20 Dec 2025 22:52:17 +0000 On 2025/12/20 22:36, Sören Tempel wrote: > Hi! > > Starting with OpenBSD 7.8, httpd(8) uses a date format for headers > (e.g., Last-Modified) that is incompatible with RFC 7231. The RFC 7231 > ABNF grammar rule for IMF-fixdate, which is supposed to be emitted by > httpd's server_http_time() function looks as follows [1]: Also still the case with the current standard https://datatracker.ietf.org/doc/html/rfc9110#http.date > IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT > > Hence, the time zone MUST be GMT. However, starting with OpenBSD 7.8 > Last-Modified headers emitted by httpd instead look as follows: > > Last-Modified: Sat, 20 Dec 2025 20:34:14 UTC > > Consequently, this is not compatible with RFC 7231 and rejected by > conforming clients. The cause here is a change committed by phessler@ > that modified the value of the gmt constant in libc's localtime.c [2]. > > An easy solution is to not use the %Z format within server_http_time() > in the strftime(3) format string and just hardcode GMT instead. diff is ok sthen > Considering that this breaks conforming HTTP clients, I would appreciate > it if this patch would also be considered for a backport to -stable. > > Cheers, > Sören > > diff --git usr.sbin/httpd/server_http.c usr.sbin/httpd/server_http.c > index f6412e80bf7..bcea49a6954 100644 > --- usr.sbin/httpd/server_http.c > +++ usr.sbin/httpd/server_http.c > @@ -796,7 +796,7 @@ server_http_time(time_t t, char *tmbuf, size_t len) > if (t == -1 || gmtime_r(&t, &tm) == NULL) > return (-1); > else > - return (strftime(tmbuf, len, "%a, %d %h %Y %T %Z", &tm)); > + return (strftime(tmbuf, len, "%a, %d %h %Y %T GMT", &tm)); > } > > const char * > > [1]: https://datatracker.ietf.org/doc/html/rfc7231#appendix-D > [2]: https://github.com/openbsd/src/commit/4282d69da8896f476db477e0b83a24fb8d13f177 >