Hi, Bill; This is a good observation. I think we should add the line, "Apache httpd-2.4.38 or later is required in order to operate a TLS 1.3 web server." to the landing page. This is technically noted in the changelog, but the visibility of this fact should be improved because it is an important feature.
I will update the landing page and remove .37 from dist later today or tomorrow morning at the latest (unless someone beats me to it). -- Daniel Ruggeri On February 28, 2019 1:05:40 PM CST, William A Rowe Jr <wr...@rowe-clan.net> wrote: >I was just updating PR 63212 and could not point the user at a >top-level, >definitive statement that they were trying to accomplish something very >unwise and which they should have known better. Apparently there are >few >sources of this information. From http://httpd.apache.org/ ... > > >Apache httpd 2.4.38 Released 2019-01-22 ><http://httpd.apache.org/#apache-httpd-2438-released-2019-01-22> > >The Apache Software Foundation and the Apache HTTP Server Project are >pleased to announce ><http://www.apache.org/dist/httpd/Announcement2.4.html> the >release of version 2.4.38 of the Apache HTTP Server ("httpd"). > >This latest release from the 2.4.x stable branch represents the best >available version of Apache HTTP Server. > > >This seems to be somewhat unhelpful from a top-level knowledge point of >view, it doesn't indicate that they should choose 2.4.38 over 2.4.37 >for >any particular reason, or that they would *need* to choose 2.4.38 if >they >wished to have a server running against OpenSSL 1.1.1 and later. > >Is there a way to improve communication of "do not use" guidance, >outside >of information at >http://httpd.apache.org/security/vulnerabilities_24.html >nested two-clicks deep? > >I do not see such guidance at http://www.apache.org/dist/httpd/ either, >the >Announcement does not suggest anything. Also finding the offending >2.4.37 >release still available for download (surely just an oversight.) > >Note PR 63212 may be entirely specific to AIX, and may be a side effect >of >build schema changes of OpenSSL 1.1.1 itself. Sorry I no longer have >the >hardware to explore such issues.
