Incomplete communications of OpenSSL 1.1.1 compatibility?

[William A Rowe Jr <wr...@rowe-clan.net>]

I was just updating PR 63212 and could not point the user at a top-level,
definitive statement that they were trying to accomplish something very
unwise and which they should have known better. Apparently there are few
sources of this information. From http://httpd.apache.org/ ...


Apache httpd 2.4.38 Released 2019-01-22
<http://httpd.apache.org/#apache-httpd-2438-released-2019-01-22>

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce <http://www.apache.org/dist/httpd/Announcement2.4.html> the
release of version 2.4.38 of the Apache HTTP Server ("httpd").

This latest release from the 2.4.x stable branch represents the best
available version of Apache HTTP Server.


This seems to be somewhat unhelpful from a top-level knowledge point of
view, it doesn't indicate that they should choose 2.4.38 over 2.4.37 for
any particular reason, or that they would *need* to choose 2.4.38 if they
wished to have a server running against OpenSSL 1.1.1 and later.

Is there a way to improve communication of "do not use" guidance, outside
of information at http://httpd.apache.org/security/vulnerabilities_24.html
nested two-clicks deep?

I do not see such guidance at http://www.apache.org/dist/httpd/ either, the
Announcement does not suggest anything. Also finding the offending 2.4.37
release still available for download (surely just an oversight.)

Note PR 63212 may be entirely specific to AIX, and may be a side effect of
build schema changes of OpenSSL 1.1.1 itself. Sorry I no longer have the
hardware to explore such issues.

Re: Incomplete communications of OpenSSL 1.1.1 compatibility?

[Daniel Ruggeri <dr...@primary.net>]

Updated in r1854645 and published to the site. I made a slight
modification to the line I suggested yesterday to note that TLS 1.3 also
requires openssl-1.1.1, too.

I've also purged the old release from dist in r32727.

Thanks for the pointers. Have a great weekend!

-- 
Daniel Ruggeri

On 3/1/2019 6:50 AM, Daniel Ruggeri wrote:
> Hi, Bill;
> This is a good observation. I think we should add the line, "Apache
> httpd-2.4.38 or later is required in order to operate a TLS 1.3 web
> server." to the landing page. This is technically noted in the
> changelog, but the visibility of this fact should be improved because
> it is an important feature.
>
> I will update the landing page and remove .37 from dist later today or
> tomorrow morning at the latest (unless someone beats me to it).
> -- 
> Daniel Ruggeri
>
> On February 28, 2019 1:05:40 PM CST, William A Rowe Jr
> <wr...@rowe-clan.net> wrote:
>
>     I was just updating PR 63212 and could not point the user at a
>     top-level, definitive statement that they were trying to
>     accomplish something very unwise and which they should have known
>     better. Apparently there are few sources of this information. From
>     http://httpd.apache.org/ ...
>
>
>       Apache httpd 2.4.38 Released 2019-01-22
>
>     The Apache Software Foundation and the Apache HTTP Server Project
>     are pleased to announce
>     <http://www.apache.org/dist/httpd/Announcement2.4.html> the
>     release of version 2.4.38 of the Apache HTTP Server ("httpd").
>
>     This latest release from the 2.4.x stable branch represents the
>     best available version of Apache HTTP Server.
>
>
>     This seems to be somewhat unhelpful from a top-level knowledge
>     point of view, it doesn't indicate that they should choose 2.4.38
>     over 2.4.37 for any particular reason, or that they would *need*
>     to choose 2.4.38 if they wished to have a server running against
>     OpenSSL 1.1.1 and later.
>
>     Is there a way to improve communication of "do not use" guidance,
>     outside of information at
>     http://httpd.apache.org/security/vulnerabilities_24.html nested
>     two-clicks deep?
>
>     I do not see such guidance at http://www.apache.org/dist/httpd/
>     either, the Announcement does not suggest anything. Also finding
>     the offending 2.4.37 release still available for download (surely
>     just an oversight.)
>
>     Note PR 63212 may be entirely specific to AIX, and may be a side
>     effect of build schema changes of OpenSSL 1.1.1 itself. Sorry I no
>     longer have the hardware to explore such issues.
>
>

Re: Incomplete communications of OpenSSL 1.1.1 compatibility?

[Daniel Ruggeri <dr...@primary.net>]

Hi, Bill;
   This is a good observation. I think we should add the line, "Apache httpd-2.4.38 or later is required in order to operate a TLS 1.3 web server." to the landing page. This is technically noted in the changelog, but the visibility of this fact should be improved because it is an important feature.

   I will update the landing page and remove .37 from dist later today or tomorrow morning at the latest (unless someone beats me to it).
-- 
Daniel Ruggeri

On February 28, 2019 1:05:40 PM CST, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>I was just updating PR 63212 and could not point the user at a
>top-level,
>definitive statement that they were trying to accomplish something very
>unwise and which they should have known better. Apparently there are
>few
>sources of this information. From http://httpd.apache.org/ ...
>
>
>Apache httpd 2.4.38 Released 2019-01-22
><http://httpd.apache.org/#apache-httpd-2438-released-2019-01-22>
>
>The Apache Software Foundation and the Apache HTTP Server Project are
>pleased to announce
><http://www.apache.org/dist/httpd/Announcement2.4.html> the
>release of version 2.4.38 of the Apache HTTP Server ("httpd").
>
>This latest release from the 2.4.x stable branch represents the best
>available version of Apache HTTP Server.
>
>
>This seems to be somewhat unhelpful from a top-level knowledge point of
>view, it doesn't indicate that they should choose 2.4.38 over 2.4.37
>for
>any particular reason, or that they would *need* to choose 2.4.38 if
>they
>wished to have a server running against OpenSSL 1.1.1 and later.
>
>Is there a way to improve communication of "do not use" guidance,
>outside
>of information at
>http://httpd.apache.org/security/vulnerabilities_24.html
>nested two-clicks deep?
>
>I do not see such guidance at http://www.apache.org/dist/httpd/ either,
>the
>Announcement does not suggest anything. Also finding the offending
>2.4.37
>release still available for download (surely just an oversight.)
>
>Note PR 63212 may be entirely specific to AIX, and may be a side effect
>of
>build schema changes of OpenSSL 1.1.1 itself. Sorry I no longer have
>the
>hardware to explore such issues.