Updating to Apache 2.4.12.

   Apache HTTP Server 2.4.12 was released. It includes four security patches for CVE-2014-3583, CVE-2014-3581, CVE-2014-8109 and CVE-2013-5704. In the httpd-ssl.conf the following lines were added. There was no release of 2.4.11.

  • # OCSP Stapling (requires OpenSSL 0.9.8h or later)
    #
    # This feature is disabled by default and requires at least
    # the two directives SSLUseStapling and SSLStaplingCache.
    # Refer to the documentation on OCSP Stapling in the SSL/TLS
    # How-To for more information.
    #
    # Enable stapling for all SSL-enabled servers:
    #SSLUseStapling On

    # Define a relatively small cache for OCSP Stapling using
    # the same mechanism that is used for the SSL session cache
    # above. If stapling is used with more than a few certificates,
    # the size may need to be increased. (AH01929 will be logged.)
    #SSLStaplingCache “shmcb:c:/Apache24/logs/ssl_stapling(32768)”

    # Seconds before valid OCSP responses are expired from the cache
    #SSLStaplingStandardCacheTimeout 3600

    # Seconds before invalid OCSP responses are expired from the cache
    #SSLStaplingErrorCacheTimeout 600

   The version was built with openssl-1.0.1l, so the issues told by OpenSSL Security Advisory [08 Jan 2015] were fixed.

   I downloaded httpd-2.4.12-win32-VC11.zip from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.’.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.