Great thanks for the info! Where can I find out when apache.org will be bundling the latest version of OpenSSL with apache? PCI compliance calls for using level "u" as of today.
Brad Finkeldei "William A. Rowe Jr." <wr...@rowe-clan.net> 04/24/2012 03:49 PM Please respond to users@httpd.apache.org To users@httpd.apache.org cc Subject Re: [users@httpd] Upgrading OpenSSL without upgrading Apache. Can it be done??? On 4/24/2012 3:09 PM, TFML wrote: > I'm assuming you're using some sort of Windows operating system. I haven't done one in a > few years, but I would assume the 1.0 version > from http://slproweb.com/products/Win32OpenSSL.html should work like installing any other > Windows Installer. If someone else can't answer this, I'd suggest setting up a virtual > environment and giving it a try before doing it on a production system. Just as on unix, you can never drop in a x.y.n change with a new x value. That's called a major bump and usually does not work. OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine so long as no special build options were changed, and it was built to run against msvcrt.dll (the *system* c library). It's the same quandry as on Ubuntu with glibc vs eglibc packages. If OP reviewed the patch release notes, they would be aware that an upgrade is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2. The new features in httpd 2.4 were vulnerable to issues there, however. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
