Topic: Apache build with Visual Studio 2022 (VS17) download

[Steffen]

Had some spare time and build Apache with Visual Studio 2022 (VS17).

https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.52-win64-VS17-openssl3.0.1.zip

https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.52-win64-VS17-openssl1.1.1m.zip

Build with OpenSSL 3.0.1 and 1.1.1m
LUA upgraded to 5.4.3 (was 5.2.4)
APR fix for the handle leak, see www.apachelounge.com/viewtopic.php?p=40768

Also Included in the .zip:
mod_fcgid
mod_security 2.9.5 with LUA 5.3.6(was 5.2.4) libxml2-2.9.12 pcre-8.45 yajl-2.1.0 curl-7.80.0

Notes on OpenSSL 3.0.1:
- Is not compatible with PHP running as module (see below).
Running with mod_fcgid no issues seen.
- With too weak certificates/ciphers Apache not starts (see below).
Use then the Openssl 1.1.1m download.

Other modules you can use the VS16, compatible.

!! Do not forget to install the Visual C++ Redistributable for Visual Studio 2015-2022 x64 from the VS16 download page.

Build with dependencies:

- openssl 3.0.1 and 1.1.1m
- nghttp2 1.46.0
- jansson 2.14
- curl 7.80.0
- apr 1.7.0 with handle leak fix
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.9
- pcre 8.45
- libxml2 2.9.12
- lua 5.4.3
- expat 2.4.1

Enjoy, Steffen

[dmye]

Failed to configure certificate ,SSL routines::ca md too weak. Does not support sha1

consider build openssl DOPENSSL_TLS_SECURITY_LEVEL=0

[Steffen]

Thanks for testing. OpenSSL advises: I would advise against setting this define at all. The default is 1 for a reason. Allowing weaker security than that is usually a bad idea. Level 0 imposes no restrictions and is potentially insecure. You aren’t very likely to need this level in practice. Level 1 is slightly better but still allows weak elements. You may need this level for interoperability purposes with legacy systems. Level 1 is the default security level in OpenSSL.

See for explanation of the levels https://apaste.info/f9GJ (= \doc\man3\SSL_CTX_set_security_level.pod):
Level 0 - Insecure
Everything is permitted. This retains compatibility with previous versions of
OpenSSL.
Level 1 - Weak
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
are prohibited. All export cipher suites are prohibited since they all offer
less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
using MD5 for the MAC is also prohibited. Note that signatures using SHA1
and MD5 are also forbidden at this level as they have less than 80 security
bits.

Please try build with 1.1.1m. Download in the start post.

[Otomatic]

In each case, exactly the same configuration with PHP as Apache module:
- PHP 7.4.27
LoadModule php7_module "${INSTALL_DIR}/bin/php/php7.4.27/php7apache2_4.dll"
- PHP 8.0.14
LoadModule php_module "${INSTALL_DIR}/bin/php/php8.0.14/php8apache2_4.dll"
- PHP 8.1.1
LoadModule php_module "${INSTALL_DIR}/bin/php/php8.1.1/php8apache2_4.dll"

- Switching from Apache 2.4.52 64bit VS16 to Apache 2.4.52 64bit VS17

php_error.log with PHP 7.4.27

[Steffen]

Thanks for testing. It is known that PHP and Apache can have issues if not the same OpenSSL version.

Users running php with mod_fcgid have no isses.

Please try build with 1.1.1m. Download in the start post.

[Otomatic]

Thank you very much!
No more problems with OpenSSL 1.1.1m with PHP 7,8 and 8.1 both in Apache module and in mod_fcgid.

Have a nice evening.

[admin]

Added the following notes for OpenSSL 3.0.1 in the start post :

Notes on OpenSSL 3.0.1:
- Is not compatible with PHP running as module.
Running with mod_fcgid no issues seen
- With too weak certificates/ciphers Apache not starts.
Use then the Openssl 1.1.1m download