

Libressl.org is running apache1 - mrmondo
http://www.libressl.org/contact.html

======
borando
This is OpenBSD's fork of Apache 1.3. It runs chroot and privsep'd by default,
and of course is patched for security issues where necessary. (OpenBSD
recently dropped Apache from the base build and is now fully committed to
nginx, moving forward.)

~~~
mrmondo
Thanks for the info, That's great news about Nginx.

------
thaumaturgy
Post another submission if you manage to root their server in a way that's
relevant to LibreSSL.

------
psgbg
I did just saw a blink tag in
[http://www.libressl.org/](http://www.libressl.org/) ?

[https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/bl...](https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/blink)

~~~
ams6110
Check the note at the bottom of the page:

 _This page scientifically designed to annoy web hipsters. Donate now to stop
the Comic Sans and Blink Tags_

~~~
psgbg
Hahaha, didn't see that.

The thing was the surprise to see my browser did render it and nostalgia of
course.

------
byroot
I don't know much about OpenBSD but I know that they upgraded to Apache 2.X
only very recently (1 year max IIRC) and it seems that they still maintain the
1.x version: [http://openports.se/www/apache-httpd-
openbsd](http://openports.se/www/apache-httpd-openbsd)

~~~
borando
OpenBSD did not upgrade to 2.X. You're talking about ports, which are separate
from the base operating system. For accurate information about OpenBSD, right
now, check:

[http://www.openbsd.org/55.html](http://www.openbsd.org/55.html)

Regarding ports, they're basically a compilation build system that complements
binary packages (which OpenBSD also has) for 3rd party software not installed
with the base system . See:

[http://www.openbsd.org/faq/faq15.html#Ports](http://www.openbsd.org/faq/faq15.html#Ports)

~~~
byroot
My bad. So OpenBSD included Apache will still be 1.3 even in the upcoming 5.5.
(along a more modern nginx)

Thanks for the info.

------
mrmondo
Theres a good chance they could be using a version that has backported
security fixes, but seriously, look at the amount of _known_ vulnerabilities
Apache 1.3.29 has:
[http://httpd.apache.org/security/vulnerabilities_13.html](http://httpd.apache.org/security/vulnerabilities_13.html)

~~~
userbinator
1.3.29 was 10 years ago, and the latest 1.3.42 has only one "moderate" flaw. I
think there's a pretty good reason why they're not using 2.x.

~~~
ams6110
From the FAQ:

 _Why isn 't a newer version of Apache included?_ The license on newer
versions is unacceptable. Users interested in more modern web servers are
encouraged to look at nginx(8) which will hopefully be replacing Apache in
base.

(the latter has actually happened as of 5.4)

Also the Apache 1.3 in OpenBSD had been audited as it was part of the base
distribution (i.e. not just a port) and it ran chrooted by default.

~~~
chris_wot
Is it just me, or is Apache losing mindshare rapidly?

------
pieterza
This is obviously also to annoy hipsters such as mrmondo. ;)

