In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module

At almost 26 years old, the Apache HTTP Server, known as httpd, has a memory problem: it is written in C, a language known among other things for its lack of memory safety.

C requires programmers to pretty much manage computer memory themselves, which they don’t always do very well. And poor memory management can lead to memory errors like buffer overflows, null pointer dereferencing, and use-after-free() issues. The recent Libgcrypt bug offers an example of how C code snafus can cause problems.

The httpd server has had memory safety bugs before, and because it’s still widely used, accounting for about a third of the web servers, the Internet Security Research Group (ISRG) has decided to institute a repair program.

The San Francisco-based non-profit, which oversees Let’s Encrypt, is backing an effort to revitalize the venerable server software with a fresh coat of Rust, much as it did for curl last year.


Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble


One of the primary virtues of the Rust programming language is that it can be used in a way that’s memory safe, thereby preventing various potential errors from making their way into production code. Rust will block at build time any unintentionally unsafe operations, thanks to its concept of ownership among other things. For widely used C-based software like httpd, the next best thing is a rewrite of critical networking components.

“We currently live in a world where deploying a few million lines of C code on a network edge to handle requests is standard practice, despite all of the evidence we have that such behavior is unsafe,” said executive director Josh Aas in a blog post seen ahead of publication by The Register. “Our industry needs to get to a place where deploying code that isn’t memory safe to handle network traffic is widely understood to be dangerous and irresponsible.”

Toward that end, ISRG has arranged to have Google fund the creation of a new TLS module for ​httpd​ called ​mod_tls, to replace mod_ssl. The commissioned module will rely on the Rust TLS module instead of OpenSSL, which is written mostly in C. It won’t immediately replace mod_ssl but the hope is that mod_tls will eventually become the default.

“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception,” said Brian Behlendorf, executive director of the open source Hyperledger project and co-creator of Apache, in a statement. “As an original co-developer, I feel a serious revamp like this has the potential to protect a lot of people and keep httpd relevant far into the future.”

ISRG has enlisted ​Stefan Eissing​ of G​reenbytes​ to do the development work. Eissing​ shouldn’t have to spend much time familiarizing himself with the httpd source given that he already commits code to the httpd project.

Asked why ISRG is fixing Apache’s plumbing instead of leaving repairs to the Apache Foundation, Aas said, “We wanted to get this work done so we found a way to do it. We don’t know if this kind of work is something the ASF does. While we did coordinate with Apache community members, we did not coordinate with the ASF itself.”

Aas said there wasn’t any specific Apache bug that motivated the initiative. “This work was motivated by a general risk profile,” he said, adding, “We would love to see Nginx, and any other popular infrastructure software written in C or C++, undertake similar work.” ®