Apache 2.2 end of life

Solution 1:

Apache is open source software, which means that is can be maintained by anyone interested in doing this.

Also, Apache is a vital part of every Linux distributions, from which eg. RHEL / CentOS / Oracle Linux 6.x has Apache 2.2 and will be supported up to November 2020. And each distribution maintainers patch bugs in Apache (and other software packages) on their own.

So, the date of REAL end of life for Apache 2.2 is unpredictable.

Solution 2:

Although there is no official end-of-life for Apache 2.2, there are a few measures you can use to determine an appropriate transition time, namely:

  • Feature support (often via modules, e.g. modssl)
  • Adherence to current standards (e.g., TLSv1.2)
  • Availability (back-porting) of bug-fixes
  • Timeliness of security updates (e.g., logjam)

From my perspective, several of these lines have been crossed in the past few years. Specifically, Apache 2.2 with modssl does not have a fix for the logjam vulnerability yet, but Apache 2.4 has had this for some time now.

A few years ago, SNI support was slow to come to Apache 2.2 - it was an Apache 2.4 feature back-ported via an unofficial patch for a long time.

I've been using Apache 2.2 for years, and only decided to begin making the transition to 2.4 a few months ago (one of our servers had an additional SSL requirement that only Apache 2.4 can currently satisfy) so we currently have some 2.2 servers, some 2.4. Ultimately I only want to support a single server stack. Your reasons may vary, but these were the important points for making my decision.


Solution 3:

From http://www.apache.org/dist/httpd/Announcement2.4.html:

Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are strongly encouraged to promptly complete their transitions to the the 2.4.x flavor of httpd to benefit from a much larger assortment of minor security and bug fixes as well as new features.

Tags:

Apache 2.2