Updated in r1854645 and published to the site. I made a slight modification to the line I suggested yesterday to note that TLS 1.3 also requires openssl-1.1.1, too.
I've also purged the old release from dist in r32727. Thanks for the pointers. Have a great weekend! -- Daniel Ruggeri On 3/1/2019 6:50 AM, Daniel Ruggeri wrote: > Hi, Bill; > This is a good observation. I think we should add the line, "Apache > httpd-2.4.38 or later is required in order to operate a TLS 1.3 web > server." to the landing page. This is technically noted in the > changelog, but the visibility of this fact should be improved because > it is an important feature. > > I will update the landing page and remove .37 from dist later today or > tomorrow morning at the latest (unless someone beats me to it). > -- > Daniel Ruggeri > > On February 28, 2019 1:05:40 PM CST, William A Rowe Jr > <wr...@rowe-clan.net> wrote: > > I was just updating PR 63212 and could not point the user at a > top-level, definitive statement that they were trying to > accomplish something very unwise and which they should have known > better. Apparently there are few sources of this information. From > http://httpd.apache.org/ ... > > > Apache httpd 2.4.38 Released 2019-01-22 > > The Apache Software Foundation and the Apache HTTP Server Project > are pleased to announce > <http://www.apache.org/dist/httpd/Announcement2.4.html> the > release of version 2.4.38 of the Apache HTTP Server ("httpd"). > > This latest release from the 2.4.x stable branch represents the > best available version of Apache HTTP Server. > > > This seems to be somewhat unhelpful from a top-level knowledge > point of view, it doesn't indicate that they should choose 2.4.38 > over 2.4.37 for any particular reason, or that they would *need* > to choose 2.4.38 if they wished to have a server running against > OpenSSL 1.1.1 and later. > > Is there a way to improve communication of "do not use" guidance, > outside of information at > http://httpd.apache.org/security/vulnerabilities_24.html nested > two-clicks deep? > > I do not see such guidance at http://www.apache.org/dist/httpd/ > either, the Announcement does not suggest anything. Also finding > the offending 2.4.37 release still available for download (surely > just an oversight.) > > Note PR 63212 may be entirely specific to AIX, and may be a side > effect of build schema changes of OpenSSL 1.1.1 itself. Sorry I no > longer have the hardware to explore such issues. > >