User profile for user: labuss1
labuss1 Author
User level: Level 1
10 points

Upgrade versions of Apache and OpenSSL (LibreSSL)

Hi All - Currently macOS 14.4.1 installs Apache v2.4.58 and OpenSSL/LibreSSL v3.36. Apache version x.x.58 has several vulnerabilities and is recommended installing version x.x.59. I would also like to call notice to the verion of LibreSSL/OpenSSL being behind as well. Installed version is 3.3.6, current is v3.9.1 I believe. The problem this is creating is not being able to support TLS 1.3 encryptioni n Apache, highest TLS version now is 1.2. Is there anyway to upgrade these components using known Apple methods or am I stuck with downloading the software and installing it in 'non standard" location(s) (for Apple). Thanks in advance. -LB

Posted on May 7, 2024 1:21 PM

Reply
3 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,999 points

May 7, 2024 4:02 PM in response to labuss1

Send your feedback to Apple: Product Feedback - Apple


If you’re a developer, expect to embed your own TLS in your app, if App Transport Security is inappropriate for your particular case. Your own web server too, if that’s needed.


If you’re trying to run a private or test server, what’s installed with macOS is fine, or you can use MAMP or XAMPP packages, or can load your own. MAMP and XAMPP are handy, those include various common add-ons. MAMP Pro, too.


For production, yeah, it gets messy particularly since macOS Server was vaporized a while back; with macOS 10.14 and later. With the end of Server, I generally wouldn’t recommend running macOS as an exposed and production server, mostly due to the effort involved in keeping everything updated manually.


And no, Apple doesn’t provide a way to update just certain parts of macOS itself.

Reply
User profile for user: etresoft
etresoft
User level: Level 8
47,012 points

May 7, 2024 1:51 PM in response to labuss1

Apple maintains its own versions of these apps. Any vulnerabilities that you might hear about may not apply to the Apple version.


Also, macOS isn't designed to be a server. The built-in Apache is useable for basic development and testing, but that's about all. It would not be worthwhile to try to get it setup to serve any secure sites.


When dealing with this kind of security publicity, the best course of action is to ignore it and stop reading those sites. Anything you hear on the internet regarding Apple security is wildly inaccurate and biased.

Reply
User profile for user: labuss1
labuss1 Author
User level: Level 1
10 points

May 7, 2024 4:59 PM in response to MrHoffman

This platform wouldn't have been my first choice, I inherited this beast. Sounds like what I will do is deactivate the macOS included version of Apache and compile my own version, with an up to date version of OpenSSL/LibreSSL and other components. This gives me the flexibility of linking in additional modules if the need arises. Thanks for the advice and help. -LB

Reply

Upgrade versions of Apache and OpenSSL (LibreSSL)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up