Print Page - Apache 2.4 Upgrade OpenSSL to Version 1.1.0

Title: Apache 2.4 Upgrade OpenSSL to Version 1.1.0
Post by: misterB on September 08, 2016, 10:50:10 PM

Hi!

Environment:
Apache 2.4.20
Windows 2012R2

Apache 2.4.20 utilizes OpenSSL 1.0.2h, which has the recent vulnerability finding SWEET32, https://www.openssl.org/blog/blog/2016/08/24/sweet32/ (https://www.openssl.org/blog/blog/2016/08/24/sweet32/). The recommendation is to upgrade OpenSSL to version 1.1.0. Does anyone know how or has done this of type of upgrade in Apache? Or when Apache will have a release with the latest OpenSSL version?

Thanks!

Title: Re: Apache 2.4 Upgrade OpenSSL to Version 1.1.0
Post by: Gregg on September 09, 2016, 01:11:01 AM

No clue when we'll get to 1.1.0.

This looks (reading your link) to be against triple DES cyphers. 1.1.0 will not compile these cyphers in. 1.0.2h is going to move them to MEDIUM so at that time !MEDIUM in your settings for SSLCipherSuite will disable them. Then again, !3DES in SSLCipherSuite right now should do the same as far as I understand so add that into yours.

The Apache Haus Forum

Forum Topics => Apache 2.4 => Topic started by: misterB on September 08, 2016, 10:50:10 PM