Sorry Guest, you are banned from posting and sending personal messages on this forum.

Error: S4296

This ban is not set to expire.

OpenSSL updated to 1.0.2q, 1.1.0j or 1.1.1a
This OpenSSL update covers 3 low severity vulnerabilities.

Brotli updated to 1.0.7
NGHTTP2 updated to 1.35.0
SQLite updated to 3.25.3

You can get your copy of the new Apache HTTP Server from our download page.

I did, cause I tried on my test server and is refused to start with the dashed names. Even though httpd -S showed not error.

Nope, a copy & paste overlook error.  Got 3, missed one. Oh well, fixed now.

Who knows? However because they're not compatible w/ tls < 1.3 it seems a good guess at least. Funny I never noticed it.

Indded, it is different.. I wonder why. O_o

I wonder why the TLS 1.3 cipher names are with underscore while the other are not?

Shouldn't it be like SSLCipherSuite TLSv1.3 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 ??

.35 again I guess it is a typo of copy and paste.

If your new to Apache no problem as our OpenSSL 1.1.1 downloads are pre-configured to run Apache capable of handling TLS/1.3 connections.

For those upgrading and will be wanting to keep their current configuration files here's some things you need to know.

1. Apache will run without touching your config but will not connect in TLS/1.3.
2. At minimum you will have to add +TLSv1.3 to your SSLProtocol line because at this point, TLS/1.3 is technically experimental.
3. TLS/1.3 ciphers are not compatible with TLS/1.2 and below so we now have two (2) SSLCipherSuite lines to use;

Code: [Select]

    SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
    SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
4. #3 is still optional, if you just leave your SSLCipherSuite, Apache will use OpenSSL's defaults. This however might affect your current cipher order in TLS <= 1.0.2. I forget because I tested this back in August and think I remember this happening. I put chacha ciphers up front and I was seeing ECDHE-RSA-AES256-GCM-SHA384 in the browser.


Compatible Browsers:

Chrome 70
Firefox 63 (due out soon) and  Firefox Nightly.

Announcing the release of Apache 2.4.37

This version is a new feature version and that single new feature is the ability to speak TLS/1.3 (with OpenSSL 1.1.1 only).
More about the TLS/1.3 in a separate post. People upgrading from a prior OpenSSL version should read it when I've posted it.

This release includes:
APR Version:        1.6.5
APU Version:        1.6.1
Brotli Version:    1.0.6
Jansson Version:    2.11
Libcurl Version:   7.61.1
LibXML2 Version:    2.9.8
LUA Version:        5.1.5
NGHTTP2 Version:    1.34.0
OpenSSL Version:    1.0.2p, 1.1.0i, 1.1.1 or LibreSSL 2.8.2
PCRE Version:       8.42
SQLite3 Version:    3.25.2
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.37

LibreSSL users;

With a new minor version comes new dll filenames. These are
crypto-44.dll, ssl-46.dll and tls-18.dll. Any of these files with a lower number are no longer needed.

http://php.net/supported-versions.php

Q. So what does that mean to our users?
A. For most nothing but for those of you using our VC11 builds, your going to have to upgrade to VC14 builds. Sorry but the only reason we build those is because PHP 5.6 is VC11 also and can be loaded as a module. That said you can run a vc11 module in vc14, you just need both redistibutables loaded. When it comes to PHP running as a module, the OpenSSL versions need to match as well.

There really hasn't been a reason to do vc11 builds for some time now, we just did them because php5.6 has been under php support. That ends when we all cheer in the new year.