logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Apache 2.4.26-Dev Win64 -- When Stable?

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
alexjohnb



Joined: 26 Aug 2011
Posts: 19
Location: Middlesex University

PostPosted: Tue 02 May '17 11:32    Post subject: Apache 2.4.26-Dev Win64 -- When Stable? Reply with quote

Hi Steffen,

When will the "Apache 2.4.26-Dev Win64" be reclassified as a Production release? Or would you advise that if we need to get Apache running on Windows with OpenSSL 1.1.0, then we should deploy this release on a production server?

Many thanks!

Regards,

Alex
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2480
Location: Hilversum, NL, EU

PostPosted: Tue 02 May '17 12:21    Post subject: Reply with quote

ASF is in the process to get it final, no crucial changes are expected.
Next month final I expect.

But abs.exe is not working with 1.1.0, that is maybe not a big deal. Hope it is fixed before final.

And mod_session_crypto is only now working with APR & APR-UTIL 1.6, so planned is to ship (as we do now) the next final 2.4.x with APR & APR-UTIL 1.6.1-dev.

Planned:

VC11/14 only with OpenSSL 1.0.2
VC15 only with OpenSSL 1.1.0

This in line with the PHP-team policy, which we follow:

PHP 7.2 vc15 with OpenSSL 1.1.0
PHP 7.1 vc14 with Openssl 1.0.2
PHP 5.6 vc11 with OpenSSL 1.0.2

In principal we could drop VC14 and have only vc15 1.0.2 and 1.1.0:

vc15 is backward compatible to vc14. That means, a vc14 module can sure be used inside vc15 binary. Thus, same for Apache and PHP as module. Regarding OpenSSL - the applink technology I introduced back then is in first place about staying compatible with different CRT. Even if it is promised to provide also compatibility between different versions, we've seen that it's not always true, recall the case where OpenSSL broke ABI by disabling weak ciphers.

Thus - in general dropping is OK, as long as the OpenSSL series matches, say both PHP and Apache are linked with either 1.0, or both with 1.1. For FCGI it of course doesn't matter, but for PHP as module. As httpd.exe provides the applink symbol, the PHP DLL will find it and possibly use incompatible routines. With this in mind, I wouldn't expect any issues if both bins are linked with same OpenSSL series. At apachelounge it is tested a no issues.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 732
Location: Amsterdam, NL, EU

PostPosted: Tue 02 May '17 17:12    Post subject: Re: Apache 2.4.26-Dev Win64 -- When Stable? Reply with quote

alexjohnb wrote:
When will the "Apache 2.4.26-Dev Win64" be reclassified as a Production release? Or would you advise that if we need to get Apache running on Windows with OpenSSL 1.1.0, then we should deploy this release on a production server?

Just curious: why do you need OpenSSL 1.1.0? OpenSSL 1.0.2 has a longer lifetime:
https://www.openssl.org/policies/releasestrat.html
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 732
Location: Amsterdam, NL, EU

PostPosted: Tue 09 May '17 18:06    Post subject: Reply with quote

I did not test it yet, but would it be possible to drop TLSv1 and TLSv1.1 support after switching to OpenSSL 1.1.0?

Somebody in php.internals noticed that quite a bit of websites are switching to TLS v1.2 only.
See https://externals.io/thread/864

BTW: OpenSSL 1.1.1 will be binary compatible with OpenSSL 1.1.0 and support TLS v1.3:
https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6143
Location: Germany, Next to Hamburg

PostPosted: Sun 14 May '17 12:15    Post subject: Reply with quote

Jan-E wrote:
I did not test it yet, but would it be possible to drop TLSv1 and TLSv1.1 support after switching to OpenSSL 1.1.0?


I made some tests over the last weeks with positiv results running ony TLSv1.2

Only some very old Android users were not able to connect.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1