Updating to Apache 2.4.12.

   Apache HTTP Server 2.4.12 was released. It includes four security patches for CVE-2014-3583, CVE-2014-3581, CVE-2014-8109 and CVE-2013-5704. In the httpd-ssl.conf the following lines were added. There was no release of 2.4.11.

• # OCSP Stapling (requires OpenSSL 0.9.8h or later)
  #
  # This feature is disabled by default and requires at least
  # the two directives SSLUseStapling and SSLStaplingCache.
  # Refer to the documentation on OCSP Stapling in the SSL/TLS
  # How-To for more information.
  #
  # Enable stapling for all SSL-enabled servers:
  #SSLUseStapling On

  # Define a relatively small cache for OCSP Stapling using
  # the same mechanism that is used for the SSL session cache
  # above. If stapling is used with more than a few certificates,
  # the size may need to be increased. (AH01929 will be logged.)
  #SSLStaplingCache “shmcb:c:/Apache24/logs/ssl_stapling(32768)”

  # Seconds before valid OCSP responses are expired from the cache
  #SSLStaplingStandardCacheTimeout 3600

  # Seconds before invalid OCSP responses are expired from the cache
  #SSLStaplingErrorCacheTimeout 600

   The version was built with openssl-1.0.1l, so the issues told by OpenSSL Security Advisory [08 Jan 2015] were fixed.

   I downloaded httpd-2.4.12-win32-VC11.zip from the ApacheLounge for my Windows7 server. If you need the information about Apache 2.4.x configuration on Windows, see my post ‘To create a Wamp-like Web Server in Windows7-#1.’.