Thanks Rainer and Rüdiger, When 2.4.43 is GA, I ship it with 1.1.1e.
When 1.1.1f is available : test and wait a week to ship it with 2.4.43. Regards, Steffen > Op 27 mrt. 2020 om 20:33 heeft Rainer Jung <rainer.j...@kippdata.de> het > volgende geschreven: > > Am 27.03.2020 um 19:24 schrieb Steffen: >> A discussion started on Apachelounge about an possible issue with OpenSSL >> 1.1.1e ( https://www.apachelounge.com/viewtopic.php?p=38941#38941 ) >> This is the introduced new EOF in 1.1.1e : >> https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a >> Discussion on OpenSSL is at https://github.com/openssl/openssl/issues/11378 >> I dot understand what is going on, but Daniel Stenberg (Curl) states : The >> "poorly-implemented HTTP/1.1 servers" are still out there and are being >> used. How common? Impossible to say. >> OpenSSL has a Patch with description : >> ... possible application breakage caused by a change in behavior introduced >> in 1.1.1e. It affects at least nginx, which logs error messages such as: >> nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error: >> 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while >> keepalive, client: xxxx, server: [::]:443 >> So looks that nginx is effected. >> My question is : >> *Is Apache effected ? * Looks not, because till now: Apachelounge has more >> then a week 2.4.41 available with 1.1.1e, which is downloaded over 50.000 >> times and no issues reported like this. > > I did a few hundred test suite runs on 5 platforms for the 2.4.42 release > candidate against OpenSSL 1.1.1e and noticed no special new ssl related > errors. > > So either our tests do not detect it or httpd does not have that problem. > > There will be a new OpenSSL 1.1.1f release next week. > > Regards, > > Rainer
