| Author |
|
SystemsadminAS
Joined: 02 Jun 2026
Posts: 1
|
 Posted: Tue 02 Jun '26 17:35 Post subject: OpenSSL 4 support for apache 2.4.68? |
 |
|
| A number of apps we use have recently begun supporting OpenSSL 4.0 (two of which we proxy through Apache 2.4.67) - couldn't find anything definitive yet, but is it expected in 2.4.68? |
|
| Back to top |
|
Monika
Joined: 29 Apr 2026
Posts: 1
Location: CZ, UH
|
| Posted: Tue 02 Jun '26 20:59 Post subject: Re: OpenSSL 4 support for apache 2.4.68? |
|
|
I always use the latest openssl unofficially.
I am using openssl 4 with apache version 2.4.67:
libcrypto-4-x64.dll
libcrypto-3-x64.dll (renamed libcrypto-4-x64.dll)
libssl-4-x64.dll
libssl-3-x64.dll (renamed libssl-4-x64.dll)
httpd.conf (example in relative usage):
LoadFile "bin/libssl-4-x64.dll"
LoadFile "bin/libcrypto-4-x64.dll"
phpinfo:
| Code: | Apache Version Apache/2.4.67 (Win64) PHP/8.5.6 OpenSSL/4.0.0
...
OpenSSL support enabled
OpenSSL Library Version OpenSSL 4.0.0 14 Apr 2026 |
Apache is running with Openssl 4 on https. |
|
| Back to top |
|
nono303
Joined: 20 Dec 2016
Posts: 232
Location: Lille, FR, EU
|
| Posted: Wed 03 Jun '26 17:20 Post subject: |
|
|
Hi
FYI, I've just had a quick test building httpd 2.4.67 with openssl 4.0.0 and it’s failed as ASN1_STRING has been made opaque
| Code: | modules\ssl\ssl_engine_ocsp.c(42): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_ocsp.c(41): error C2198: 'char *apr_pstrdup(apr_pool_t *,const char *)': too few arguments for call
modules\ssl\ssl_engine_vars.c(700): error C2037: left of 'type' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(700): error C2037: left of 'length' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(701): error C2037: left of 'type' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(701): error C2037: left of 'length' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(706): error C2037: left of 'type' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(707): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(709): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(711): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(711): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(712): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(1031): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
modules\ssl\ssl_engine_vars.c(1037): error C2037: left of 'length' specifies undefined struct/union 'asn1_string_st' |
Applied #642 [2.4.x] Fix OpenSSL 4.0 compat >> build and run fine 
Note that some changes occur on openssl list -tls1_3 -tls-groups & openssl list -tls1_2 -tls-groups that might require some change in your conf
For me, I had to remove sect571r1:sect571k1:sect409k1:sect409r1 from SSLOpenSSLConfCmd Groups |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3195
Location: Hilversum, NL, EU
|
| Posted: Fri 05 Jun '26 16:49 Post subject: |
|
|
OpenSSL 4 introduces support for Encrypted Client Hello (ECH), which has recently been standardized as RFC 9849. The fact that there are many backward-incompatible changes in this version and that it doesn't come with long-term support, probably means that most distributions will skip it. According to the roadmap, the next LTS version is expected about this time next year.
Think we stay with 3 in 2.4.68. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 448
Location: UK
|
| Posted: Fri 05 Jun '26 17:55 Post subject: |
|
|
| nono303 wrote: | Hi
FYI, I've just had a quick test building httpd 2.4.67 with openssl 4.0.0 and it’s failed as ASN1_STRING has been made opaque
| Code: | modules\ssl\ssl_engine_ocsp.c(42): error C2037: left of 'data' specifies undefined struct/union 'asn1_string_st'
etc...
|
Applied #642 [2.4.x] Fix OpenSSL 4.0 compat >> build and run fine 8)
|
When I try building the full stack (CMake HowTo) with OpenSSL 4.0.0, I get fatal errors from APR-UTIL, which fails since the ENGINE API has been deprecated in OpenSSL 4.
Can you clarify how you're managing to build HTTPD and APR with OpenSSL 4.0.0? |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3195
Location: Hilversum, NL, EU
|
| Posted: Fri 05 Jun '26 21:03 Post subject: |
|
|
Answer from the dev :
The crypto code in apr-util is not yet compatible with OpenSSL 4. The same holds true for mod_md as bundled with httpd 2.4.68-
If you want to build using OpenSSL 4, you would need to disable mod_md and to not enable crypto support in apr-util. As a consequence, only mod_session_crypto would not get build.
I expect we will handle OpenSSL 4 support in apr-util once there will be a new release of it. The small incompatibility in mod_md will hopefully get fixed in the next httpd release.
Best regards,
Rainer
So we stay at openssl 3. |
|
| Back to top |
|
nono303
Joined: 20 Dec 2016
Posts: 232
Location: Lille, FR, EU
|
| Posted: Sat 06 Jun '26 10:59 Post subject: |
|
|
I used apr-util head of 1.7.x and I builded it including crypto module without error
| Code: | ####### BEGIN BUILD apr-util vs18 x64 avx [2026-06-04_09-50-57] #######
** [init] apr-util cmake nocxx
# disabling /std:clatest for C++
> apply apr-util.patch
Applied patch CMakeLists.txt cleanly.
Applied patch cmake/FindMySQL.cmake cleanly.
git branch:1.7.x commit:21d90e0f
-- The C compiler identification is MSVC 19.51.36246.0
...
-- Found LibXml2: C:/sdk/release/vs18_x64-avx/lib/libxml2.lib (found version "2.15.3")
-- Found OpenSSL: C:/sdk/release/vs18_x64-avx/lib/libcrypto.lib (found version "4.0.0")
-- Found Iconv: C:/sdk/release/vs18_x64-avx/lib/libiconv.lib (found version "1.19")
-- Found SQLite3: C:/sdk/release/vs18_x64-avx/lib/libsqlite3.lib (found version "3.53.2")
-- Found MySQL: B:/serveur/mysql/lib/mysqlclient.lib (found version "9.7.0")
--
--
-- APR-Util configuration summary:
--
-- Build type ...................... : RelWithDebInfo
-- Build shared libs ............... : ON
-- Install .pdb (if available)...... : ON
-- Install prefix .................. : C:/sdk/release/vs18_x64-avx
-- Directory for binary files .... : PREFIX/bin
-- Directory for library files ... : PREFIX/lib
-- Directory for include files ... : PREFIX/include
-- C compiler ...................... : C:/sdk/softs/msvs/vs18/VC/Tools/MSVC/14.51.36231/bin/Hostx64/x64/cl.exe
-- DBD ODBC driver ................. : ON
-- DBD SQLite3 driver .............. : ON
-- DBD PostgreSQL .................. : OFF
-- DBD MySQL ....................... : ON
-- APU_HAVE_CRYPTO ................. : ON
-- APU_HAVE_ICONV .................. : ON
-- APR_HAS_LDAP .................... : ON
-- Use Expat ....................... : OFF
-- Use LibXml2 ..................... : ON
-- Build test suite ................ : OFF
-- Configuring done (3.3s)
-- Generating done (0.0s)
-- Build files have been written to: C:/sdk/build/vs18_x64-avx/apr-util
[1/68] Building C object CMakeFiles\libaprutil-1.dir\buckets\apr_buckets_flush.c.obj
...
[61/68] Building C object CMakeFiles\libaprutil-1.dir\crypto\apr_crypto_openssl.c.obj
...
[67/68] Install the project...
-- Install configuration: "RelWithDebInfo"
-- Installing: C:/sdk/release/vs18_x64-avx/lib/libaprutil-1.lib
-- Installing: C:/sdk/release/vs18_x64-avx/bin/libaprutil-1.dll
-- Installing: C:/sdk/release/vs18_x64-avx/bin/libaprutil-1.pdb
...
-- Installing: C:/sdk/release/vs18_x64-avx/include/apr_crypto.h
...
[version] '1.7.0' C:\sdk\release\vs18_x64-avx\bin\libaprutil-1.dll (C:\sdk\src\apr-util\include\apu_version.h)
####### END BUILD apr-util vs18 x64 avx [6820] #######
|
For httpd I patched 2.4.67 with #642 (now closed on 83d565f) and used mod_md 2.6.11 (latest git tag) which also compile against OpenSSL 4 without errors.
I forced a cert renewal and effectively it doesn’t work with mod_md against OpenSSL 4 |
|
| Back to top |
|
