The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Apache 2.4 Upgrade OpenSSL to Version 1.1.0  (Read 2811 times)

misterB

  • Newbie
  • *
  • Offline Offline
  • Posts: 1
Apache 2.4 Upgrade OpenSSL to Version 1.1.0
« on: September 08, 2016, 10:50:10 PM »

Hi!

Environment:
   Apache 2.4.20
   Windows 2012R2

Apache 2.4.20 utilizes OpenSSL 1.0.2h, which has the recent vulnerability finding SWEET32, https://www.openssl.org/blog/blog/2016/08/24/sweet32/. The recommendation is to upgrade OpenSSL to version 1.1.0. Does anyone know how or has done this of type of upgrade in Apache? Or when Apache will have a release with the latest OpenSSL version?

Thanks!
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 828
Re: Apache 2.4 Upgrade OpenSSL to Version 1.1.0
« Reply #1 on: September 09, 2016, 01:11:01 AM »

No clue when we'll get to 1.1.0.

This looks (reading your link) to be against triple DES cyphers. 1.1.0 will not compile these cyphers in. 1.0.2h is going to move them to MEDIUM so at that time !MEDIUM in your settings for SSLCipherSuite  will disable them. Then again, !3DES in SSLCipherSuite right now should do the same as far as I understand so add that into yours.

Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13