views:

20

answers:

2

Apache 2.2.16 is currently the "best available version" of the HTTP Server. I made some changes to the source and need to recompile with OpenSSL. My question is, should I use OpenSSL 0.9.8o or OpenSSL 1.0.0a? The latter is a more recent, major release, but Apache couples HTTPD 2.2.16 with OpenSSL 0.9.8o in their binary offering. See "Win32 Binary including OpenSSL 0.9.8o (MSI Installer)" on the download page.

There is little to no documentation regarding Apache's decision here.

+1  A: 

It seems best to use the same version of OpenSSL that was used with the original build of Apache that you are using. There is a small chance (probably very small but possibly non-zero) that there might be some dependency on the specific version of OpenSSL. For example, the change log does indicate there is at least one bug fix that could result in requiring a change if the application worked around it (search for "old buggy behaviour" on that change log page). I am only using this as an example; I have absolutely no idea if Apache even uses BIO_pop and BIO_push. But it is this type of thing that could cause difficulty if you change the versions without knowing more how it is used.

Note that the v0.9x versions of OpenSSL are real releases and in wide use. It shouldn't be an issue just because it pre-dates v1.x.

Mark Wilkins
Thanks. The changelog link above refers to "Changes between 1.0.0b and 1.0.1", and I am referring to 0.9.8o. I agree with your sentiment but was looking for something a little more tangible, like Apache's reasoning for bundling with the earlier version. My thought is, that's what they developed and tested with. It's just not written anywhere.
rob
@rob, I checked again. That particular entry falls in the section titled 'Changes between 0.9.8n and 1.0.0'. Unless I am just confused about what I see in there. Nonetheless, it is those types of things that would worry me if I were considering changing it (whether or not I am looking in the correct section). I think your statement about what they tested with is probably accurate.
Mark Wilkins
A: 

I posed this question on the Apache HTTPD user list as well. They said the Windows package was put together by a third party, and that either versions will work. So we will move forward with 1.0.0a.

From Apache user list:

Apache HTTP Server 2.2.16 should build against either OpenSSL 0.9.8 or OpenSSL 1.0.  Let us know if you experience otherwise.  

OpenSSL 0.9.8o in their binary offering. See "Win32 Binary including OpenSSL 0.9.8o (MSI Installer)" on the download page.

The Windows binary is not a release by the Apache Software Foundation, but a courtesy offering.  The person who built that decided to include the 0.9.8o version, which is entirely up to him.

rob