Tomorrow (March 4th) in the afternoon sometime my time I will be putting up new downloads of Apache 2.2.31 and 2.4.18 and OpenSSL 1.0.2g updates and 1.0.1s (VC11 only) downgrades. You will notice there are no longer any OpenSSL 0.9.8 downgrades.
OpenSSL 0.9.8 and 1.0.0 versions have gone End of Life and there is no longer any development on these versions. Because OpenSSL is a security layer, you want to keep that up to date ... don't you? You can't when your hanging onto OpenSSL 0.9.8.
So What can you do? The most common reason you need to keep this out of date version is to run PHP 5.3/5.4 as an Apache module (php?apache2_?.dll). You have a few options to choose from to deal with this.
- Use mod_fcgid to run PHP and not php?apache2_?.dll
- Use Jan-E's Unofficial PHP Thread Safe Releases (https://www.apachelounge.com/viewtopic.php?t=6359&start=0&postdays=0&postorder=asc) which always use the most recent version of OpenSSL 1.0.2 (currently 1.0.2g). Jan has been providing these builds for a couple years now and are used by many.
- * Not Recommended * Keep a backup of your OpenSSL 0.9.8 files /bin/libeay32.dll, /bin/openssl.exe, /bin/ssleay32.dll, /conf/openssl.cnf and /modules/mod_ssl.so. Use your backups to restore these after an Apache upgrade.
While you do not have to do anything different just yet because you do not have to worry about these updates tomorrow. You should start preparing for the inevitable in the coming weeks when I expect to see Apache 2.4.19 come around. There will be no more OpenSSL 0.9.8 downgrades available made available for any version of Apache.