Pages

[puertoblack2003]

I currently testing this version.So far everything is working as it should. now libressl is currently at 2.5.4 https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.4-windows.zip should i drop new version to assign folder or extra steps has to be taken?

[Gregg]

I thought I put new builds on the download page but it looks like I didn't. I will say there has been no security related changes in 2.5.2, 2.5.3 or 2.5.4 that I can remember which is probably why I didn't update the d/l page.

That said, there is bad news for us as Apache 2.4.26 will not build with LibreSSL. It looks like getting Apache & Apr-util compatible with OpenSSL 1.1.0 has broken the option of using LibreSSL. So come tomorrow (Friday my time) or Saturday (unless a problem is found before then) we will be seeing Apache 2.4.26/OpenSSL 1.1.0f instead.

I will post to the dev list about the LibreSSL breakage after 2.4.26 is released. Do not expect any fix to this problem as LibreSSL has never been a "supported" encryption library by the Apache project but we could get lucky.

That said, my initial tests of Apache/OpenSSL 1.1.0 look good and we can continue to do the cha-cha

[puertoblack2003]

thanks for the info.If I was to revert back to openssl, will it break anything?

[Gregg]

I can't see why. The one thing available for Apache/OpenSSL (1.0.2 & 1.1.0) that is not available in Apache/LibreSSL is SSLCompression. Which really doesn't matter if you include it or not because 'Off' is the default and this should never be turned on anyway (BEAST or CRIME or one of the attacks that came out recently needed it on). It will error if used in Apache/LibreSSL.

So while not promising anything, no, it shouldn't mess ya up using your current config. May want to test first side-by-side on a different port before you change the production server over.

We may get Apache/LibreSSL back eventually, we'll just have to wait and see.