Apache 2.4.65

[jwaisner]

PR Type

Enhancement

---

Description

• Add Apache 2.4.65 version configuration files

• Update build and release properties

• Configure SSL/TLS support with certificates

• Set up PHP integration and modules

---

Diagram Walkthrough

flowchart LR
  A["Apache 2.4.65 Files"] --> B["Configuration Files"]
  A --> C["SSL Configuration"]
  A --> D["PHP Integration"]
  E["Release Properties"] --> F["Version 2.4.65 Entry"]
  G["Build Properties"] --> H["Bundle Release Update"]

Loading

File Walkthrough

Relevant files

Configuration changes

bearsampp.conf Apache 2.4.65 basic configuration setup                                    bin/apache2.4.65/bearsampp.conf Define Apache version as 2.4.65 Set executable and configuration paths Configure HTTP and HTTPS ports Set bundle release placeholder +8/-0      httpd-ssl.conf SSL/TLS configuration for secure connections                          bin/apache2.4.65/conf/extra/httpd-ssl.conf Complete SSL/TLS configuration for HTTPS Configure SSL certificates and keys Set up virtual host for port 443 Define SSL cipher suites and protocols +236/-0  httpd-ssl.conf.ber SSL configuration backup file                                                        bin/apache2.4.65/conf/extra/httpd-ssl.conf.ber Backup copy of SSL configuration Identical to main SSL config file Preserves original SSL settings +236/-0  httpd.conf Main Apache HTTP server configuration                                        bin/apache2.4.65/conf/httpd.conf Main Apache HTTP server configuration Load essential modules and PHP integration Configure document root and virtual hosts Set up logging and security directives +569/-0  httpd.conf.ber Main configuration backup with PHP hack                                    bin/apache2.4.65/conf/httpd.conf.ber Backup of main configuration file Contains additional PHP hack comment Preserves original server settings +570/-0  modules.properties Module properties for FCGID                                                            bin/apache2.4.65/modules.properties Define FCGID module download URL Reference GitHub release for mod_fcgid +1/-0      build.properties Bundle release version update                                                        build.properties Update bundle release from 2025.2.9 to 2025.8.15 +1/-1      releases.properties Add Apache 2.4.65 release entry                                                    releases.properties Add Apache 2.4.65 download URL entry Reference GitHub release for version 2.4.65 +1/-0

---

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns SSL/TLS hardening: The SSL config permits weak ciphers (+LOW, +EXP, eNULL) and lacks explicit SSLProtocol restrictions, increasing risk of downgrades and weak encryption. Recommend using a modern cipher suite (e.g., HIGH:!aNULL:!MD5:!3DES:!RC4:!EXP:!eNULL) and setting SSLProtocol to TLSv1.2 TLSv1.3. Certificate key path: SSLCertificateKeyFile references a .pub file rather than a private key, which will either fail to start or lead to misconfiguration risks; ensure it points to the correct private key with restricted permissions. No

⚡ Recommended focus areas for review Wrong Key File SSLCertificateKeyFile points to a .pub file, which is typically a public key, not the private key required by Apache. Verify the correct private key path and permissions. # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile "${BEARSAMPP_LIN_PATH}/ssl/localhost.pub" #SSLCertificateKeyFile "${BEARSAMPP_LIN_PATH}/ssl/server-dsa.key" #SSLCertificateKeyFile "${BEARSAMPP_LIN_PATH}/ssl/server-ecc.key" Weak Cipher Suite SSLCipherSuite allows deprecated/weak options (ALL, +LOW, +EXP, eNULL) and only disables SSLv2/SSLv3 but not TLSv1.0/1.1. Review ciphers and add SSLProtocol to restrict to modern TLS versions. # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) # cipher suites (see RFC 4492) as part of "ALL". Edit this line # if you need to disable any of those ciphers. SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:!SSLv2:!SSLv3:+EXP:+eNULL Access Control The root Directory block grants access server-wide (Require all granted). Ensure this is intended; typically the filesystem root is more restricted to reduce exposure. # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory /> AllowOverride none Require all granted </Directory>

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix private key file path The private key directive points to a .pub file, which is a public key and will fail to load or expose misconfiguration. Point it to the actual private key file (e.g., .key) that matches the certificate. bin/apache2.4.65/conf/extra/httpd-ssl.conf [104] -SSLCertificateKeyFile "${BEARSAMPP_LIN_PATH}/ssl/localhost.pub" +SSLCertificateKeyFile "${BEARSAMPP_LIN_PATH}/ssl/localhost.key" Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical configuration error where SSLCertificateKeyFile points to a public key file (.pub), which would cause the SSL server to fail on startup.	High
Security	Restrict TLS cipher suites The configured cipher suite enables obsolete and insecure ciphers (LOW, EXP, eNULL), weakening HTTPS security and potentially breaking modern clients' expectations. Restrict to strong ciphers and explicitly disable NULL/EXPORT/LOW and legacy algorithms. Also prefer server cipher order. bin/apache2.4.65/conf/extra/httpd-ssl.conf [82] -SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:!SSLv2:!SSLv3:+EXP:+eNULL +SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RC4:!EXPORT:!LOW:!eNULL +SSLHonorCipherOrder on Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that the default SSLCipherSuite is outdated and includes weak ciphers, and the proposed change significantly improves security by enforcing stronger cryptographic standards.	High
	Enforce modern TLS protocols Binding to 443 without specifying protocols permits deprecated SSL/TLS versions by defaults elsewhere. Explicitly limit TLS versions to supported, secure ones to avoid SSLv3/TLS1.0/1.1 negotiation. Add modern protocol directive. bin/apache2.4.65/conf/extra/httpd-ssl.conf [37] Listen 443 +SSLProtocol TLSv1.2 TLSv1.3 Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly points out that the lack of an SSLProtocol directive could allow obsolete and insecure protocols, and the proposed change is a critical security hardening measure.	High
More