Updated in r1854645 and published to the site. I made a slight
modification to the line I suggested yesterday to note that TLS 1.3 also
requires openssl-1.1.1, too.

I've also purged the old release from dist in r32727.

Thanks for the pointers. Have a great weekend!

-- 
Daniel Ruggeri

On 3/1/2019 6:50 AM, Daniel Ruggeri wrote:
> Hi, Bill;
> This is a good observation. I think we should add the line, "Apache
> httpd-2.4.38 or later is required in order to operate a TLS 1.3 web
> server." to the landing page. This is technically noted in the
> changelog, but the visibility of this fact should be improved because
> it is an important feature.
>
> I will update the landing page and remove .37 from dist later today or
> tomorrow morning at the latest (unless someone beats me to it).
> -- 
> Daniel Ruggeri
>
> On February 28, 2019 1:05:40 PM CST, William A Rowe Jr
> <wr...@rowe-clan.net> wrote:
>
>     I was just updating PR 63212 and could not point the user at a
>     top-level, definitive statement that they were trying to
>     accomplish something very unwise and which they should have known
>     better. Apparently there are few sources of this information. From
>     http://httpd.apache.org/ ...
>
>
>       Apache httpd 2.4.38 Released 2019-01-22
>
>     The Apache Software Foundation and the Apache HTTP Server Project
>     are pleased to announce
>     <http://www.apache.org/dist/httpd/Announcement2.4.html> the
>     release of version 2.4.38 of the Apache HTTP Server ("httpd").
>
>     This latest release from the 2.4.x stable branch represents the
>     best available version of Apache HTTP Server.
>
>
>     This seems to be somewhat unhelpful from a top-level knowledge
>     point of view, it doesn't indicate that they should choose 2.4.38
>     over 2.4.37 for any particular reason, or that they would *need*
>     to choose 2.4.38 if they wished to have a server running against
>     OpenSSL 1.1.1 and later.
>
>     Is there a way to improve communication of "do not use" guidance,
>     outside of information at
>     http://httpd.apache.org/security/vulnerabilities_24.html nested
>     two-clicks deep?
>
>     I do not see such guidance at http://www.apache.org/dist/httpd/
>     either, the Announcement does not suggest anything. Also finding
>     the offending 2.4.37 release still available for download (surely
>     just an oversight.)
>
>     Note PR 63212 may be entirely specific to AIX, and may be a side
>     effect of build schema changes of OpenSSL 1.1.1 itself. Sorry I no
>     longer have the hardware to explore such issues.
>
>

Reply via email to