Apache 2.4 Upgrade OpenSSL to Version 1.1.0

Started by misterB, September 08, 2016, 10:50:10 PM

Previous topic - Next topic



   Apache 2.4.20
   Windows 2012R2

Apache 2.4.20 utilizes OpenSSL 1.0.2h, which has the recent vulnerability finding SWEET32, https://www.openssl.org/blog/blog/2016/08/24/sweet32/. The recommendation is to upgrade OpenSSL to version 1.1.0. Does anyone know how or has done this of type of upgrade in Apache? Or when Apache will have a release with the latest OpenSSL version?



No clue when we'll get to 1.1.0.

This looks (reading your link) to be against triple DES cyphers. 1.1.0 will not compile these cyphers in. 1.0.2h is going to move them to MEDIUM so at that time !MEDIUM in your settings for SSLCipherSuite  will disable them. Then again, !3DES in SSLCipherSuite right now should do the same as far as I understand so add that into yours.