Text only | Text with Images

The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: tony on July 26, 2022, 04:59:14 AM

Title: OpenSSL 3.0
Post by: tony on July 26, 2022, 04:59:14 AM
Hi everyone,

OpenSSL 3.0 is the latest major version of OpenSSL. Is there any plan to officially release Apache 2.4.xx or 2.5.xx with OpenSSL 3.0? Thanks
Title: Re: OpenSSL 3.0
Post by: Gregg on July 26, 2022, 07:57:27 PM
Yes, I do plan on providing Apache with OpenSSL 3.0.x but only in x64. There are 2 problems.
1. mod_session_crypto does not yet work with OpenSSL 3.0 because of the current APR.
2. My packaging script just does not want to recognize it.

I am working on #2, I tried but it still doesn't seem to want to work so I will have to rewrite that section of it. #1 will have to wait until the a new version of APR comes out. When I get #2 sorted I will have it available then and will work on that this week as time permits.
Title: Re: OpenSSL 3.0
Post by: tony on July 27, 2022, 05:16:30 AM
Thanks for your response. I'm looking forward to hearing the good news.
Title: Re: OpenSSL 3.0
Post by: mario on July 27, 2022, 08:38:36 AM
Quote from: Gregg on July 26, 2022, 07:57:27 PM2. My packaging script just does not want to recognize it.



Let me know if I can help ;)
Title: Re: OpenSSL 3.0
Post by: DnvrSysEngr on August 01, 2022, 03:37:06 AM
Just downloaded Apache 2.4.54 w/OpenSSL 3.0.5.  Works perfect.  Thank you Gregg.
Title: Re: OpenSSL 3.0
Post by: tony on August 01, 2022, 06:28:27 AM
@Gregg.
Thanks so much for the new Apache 2.4.54 w/OpenSSL 3.0.5
Title: Re: OpenSSL 3.0
Post by: impeeza on November 04, 2022, 04:30:18 PM
Hi, with the new Threat Advisor by Open SSl about the vulnerabilities of Open SSL 3.x https://www.openssl.org/news/secadv/20221101.txt
will be a new release of Apache Haus with OpenSSL 3.0.7 to fix the vulnerability?

thanks a lot for your great work.
Title: Re: OpenSSL 3.0
Post by: Gregg on November 05, 2022, 02:05:00 AM
I'm working on them now. I will put them online, as well as openssl 1.1.1s and Libressl 3.6.1 as soon as I am done.
Title: Re: OpenSSL 3.0
Post by: mario on November 07, 2022, 02:54:54 PM
That OpenSSL issue is valid if you use certs for authentication. Otherwise it isn't that quick needed.
Title: Re: OpenSSL 3.0
Post by: Marc on February 20, 2023, 10:28:50 AM
Hello,

Any schedule for OpenSSL 3.0.8 fixing high severity issue CVE-2023-0286
https://www.openssl.org/news/secadv/20230207.txt

Thank you
Title: Re: OpenSSL 3.0
Post by: mario on February 22, 2023, 09:14:11 AM
Hi Marc,
due to a personal covid situation, it might take a while until we are able to make the build. Thank you for your patience.

The OpenSSL issue applies only if you use client certificates for authentication.
Title: Re: OpenSSL 3.0
Post by: DaveM on February 23, 2023, 08:39:45 PM
While waiting for a new package, perhaps switching to the current LibreSSL package is an option?  It seems to have fewer security issues than OpenSSL. 
Title: Re: OpenSSL 3.0
Post by: mario on February 27, 2023, 12:19:34 PM
We are sorry, but Apache Haus project is on hold (https://forum.apachehaus.com/announcements/apache-haus-project-is-on-hold/).

In the meantime, you can get updates from Apache Lounge. Their binaries are 100% compatible with ours.
Title: Re: OpenSSL 3.0
Post by: Marc on March 07, 2023, 08:32:00 AM
Thank you Mario.
I've switched to Apache Lounge and it's fine.

Take care,
Marc
Text only | Text with Images