OpenSSL 3.0

Started by tony, July 26, 2022, 04:59:14 AM

Previous topic - Next topic

tony

Hi everyone,

OpenSSL 3.0 is the latest major version of OpenSSL. Is there any plan to officially release Apache 2.4.xx or 2.5.xx with OpenSSL 3.0? Thanks

Gregg

Yes, I do plan on providing Apache with OpenSSL 3.0.x but only in x64. There are 2 problems.
1. mod_session_crypto does not yet work with OpenSSL 3.0 because of the current APR.
2. My packaging script just does not want to recognize it.

I am working on #2, I tried but it still doesn't seem to want to work so I will have to rewrite that section of it. #1 will have to wait until the a new version of APR comes out. When I get #2 sorted I will have it available then and will work on that this week as time permits.

tony

Thanks for your response. I'm looking forward to hearing the good news.

mario

Quote from: Gregg on July 26, 2022, 07:57:27 PM2. My packaging script just does not want to recognize it.



Let me know if I can help ;)

DnvrSysEngr

Just downloaded Apache 2.4.54 w/OpenSSL 3.0.5.  Works perfect.  Thank you Gregg.

tony

@Gregg.
Thanks so much for the new Apache 2.4.54 w/OpenSSL 3.0.5

impeeza

Hi, with the new Threat Advisor by Open SSl about the vulnerabilities of Open SSL 3.x https://www.openssl.org/news/secadv/20221101.txt
will be a new release of Apache Haus with OpenSSL 3.0.7 to fix the vulnerability?

thanks a lot for your great work.

Gregg

I'm working on them now. I will put them online, as well as openssl 1.1.1s and Libressl 3.6.1 as soon as I am done.

mario

That OpenSSL issue is valid if you use certs for authentication. Otherwise it isn't that quick needed.

Marc

Hello,

Any schedule for OpenSSL 3.0.8 fixing high severity issue CVE-2023-0286
https://www.openssl.org/news/secadv/20230207.txt

Thank you

mario

Hi Marc,
due to a personal covid situation, it might take a while until we are able to make the build. Thank you for your patience.

The OpenSSL issue applies only if you use client certificates for authentication.

DaveM

While waiting for a new package, perhaps switching to the current LibreSSL package is an option?  It seems to have fewer security issues than OpenSSL. 

mario

We are sorry, but Apache Haus project is on hold.

In the meantime, you can get updates from Apache Lounge. Their binaries are 100% compatible with ours.

Marc

Thank you Mario.
I've switched to Apache Lounge and it's fine.

Take care,
Marc