Hi everyone,
OpenSSL 3.0 is the latest major version of OpenSSL. Is there any plan to officially release Apache 2.4.xx or 2.5.xx with OpenSSL 3.0? Thanks
Yes, I do plan on providing Apache with OpenSSL 3.0.x but only in x64. There are 2 problems.
1. mod_session_crypto does not yet work with OpenSSL 3.0 because of the current APR.
2. My packaging script just does not want to recognize it.
I am working on #2, I tried but it still doesn't seem to want to work so I will have to rewrite that section of it. #1 will have to wait until the a new version of APR comes out. When I get #2 sorted I will have it available then and will work on that this week as time permits.
Thanks for your response. I'm looking forward to hearing the good news.
Quote from: Gregg on July 26, 2022, 07:57:27 PM2. My packaging script just does not want to recognize it.
Let me know if I can help ;)
Just downloaded Apache 2.4.54 w/OpenSSL 3.0.5. Works perfect. Thank you Gregg.
@Gregg.
Thanks so much for the new Apache 2.4.54 w/OpenSSL 3.0.5
Hi, with the new Threat Advisor by Open SSl about the vulnerabilities of Open SSL 3.x https://www.openssl.org/news/secadv/20221101.txt
will be a new release of Apache Haus with OpenSSL 3.0.7 to fix the vulnerability?
thanks a lot for your great work.
I'm working on them now. I will put them online, as well as openssl 1.1.1s and Libressl 3.6.1 as soon as I am done.
That OpenSSL issue is valid if you use certs for authentication. Otherwise it isn't that quick needed.
Hello,
Any schedule for OpenSSL 3.0.8 fixing high severity issue CVE-2023-0286
https://www.openssl.org/news/secadv/20230207.txt
Thank you
Hi Marc,
due to a personal covid situation, it might take a while until we are able to make the build. Thank you for your patience.
The OpenSSL issue applies only if you use client certificates for authentication.
While waiting for a new package, perhaps switching to the current LibreSSL package is an option? It seems to have fewer security issues than OpenSSL.
We are sorry, but Apache Haus project is on hold (https://forum.apachehaus.com/announcements/apache-haus-project-is-on-hold/).
In the meantime, you can get updates from Apache Lounge. Their binaries are 100% compatible with ours.
Thank you Mario.
I've switched to Apache Lounge and it's fine.
Take care,
Marc