I'd like to propose we ship apache_2.2.4-win32-x86-openssl-0.9.8d.msi with this release. Couple of notes...
Roy has started the details spelled out at http://www.apache.org/dev/crypto.html and I'm certain he will complete them sometime shortly, here. That's a red flag that prevents us from making this available, even on /dev/dist/ for your evaluation. Trust that I will first upload the proposed package to /dev/dist/ for feedback before it lands in /dist/httpd/binaries/win32/. apache_2.2.4-win32-x86-ssl.msi was the anticipated name. The more I consider how tightly bound such a distribution is to openssl, and the version bound to the various security features in the corresponding release of openssl, the more I think we need an explicit package name. The zlib package used today is stock 1.2.3 with the /Oy- optimization override, to ensure we can read the Dr Watson backtrace for a crash report with or w/o the user deploying .pdb files. It adds .pdb generation (/Zi linked with the /debug /opt:ref flags) which adds no overhead to the binary, but creates a parallel .pdb file. The openssl package will be built also with /Oy- disable to ensure we can read backtraces (even more critical given how we hook into the module!) and also generating .pdb files. It will be configured no-mdc2 no-rc5 no-idea enable-zlib against the zlib package I cited above. (This is not zlib-dynamic!!! That would be a thread-unsafe choice :) Almost any stock build using openssl's own ms/ntdll.mak file will work to replace it, if the user chooses. Install path, like zlib, is private within Apache2\bin\ (that's an aspect of how binary search paths work on win32, where the lib\ directory isn't well suited for loadable libraries.) Note that the package then includes mod_ssl.so, and ab.exe compiled against openssl for https: stress measurement. It also includes openssl.exe for the generation of keys and certs. A final question for all, do we wish to install an arbitrary, on the fly self signed default.crt/default.key? Do we want to help them fill out the details or use stock details? Or do we want them to use openssl.exe to generate one for themselves?
