Apache HTTPD Server 2.4.68 Release Candidate Brings OpenSSL 4.0 Support and Critical Bug Fixes
The release candidate for Apache HTTPD server 2.4.68 drops today, and it actually fixes some of the older headaches that keep system administrators up at night. This update brings native OpenSSL 4.0 compatibility to mod_ssl, patches a file descriptor leak in mod_http2, and stops certain conditional directives from leaking error content into logs. Server operators should test this build before pushing it to production environments running modern TLS stacks or heavy proxy workloads.
OpenSSL 4.0 compatibility lands in mod_ssl
The jump to OpenSSL 4.0 has left a lot of legacy web servers scrambling, and Apache is one of the first major players to catch up. Joe Orton added the necessary hooks so mod_ssl can actually talk to the newer cryptographic library without throwing handshake failures or falling back to insecure ciphers. Production environments frequently break when crypto libraries update in place, making this support feel like a relief rather than just another checkbox. The patch also introduces SerialNumber as a recognized attribute for SSL distinguished name variables and forces the auth type to ClientCert when certificate authentication succeeds, which cleans up how backend applications parse client identity.
mod_http2 patches stop file descriptor exhaustion
Stefan Eissing pushed three separate updates to the HTTP/2 module in this release, and they all target resource leaks that quietly choke servers under load. The most important fix addresses excessive file description use when sending files over non-TLS frontend connections, which used to leave open handles sitting around until the process died. Another update corrects how cookie headers count against LimitRequestFields, so misconfigured virtual hosts stop rejecting legitimate requests with a 400 error. There is also a guard for upload failures that prevents beam bucket callbacks from pointing at invalid memory when the server runs out of file descriptors on platforms with tight pipe limits. These changes matter because HTTP/2 multiplexing amplifies any handle leak into a full system stall within minutes.
Core logging and module stability get cleaned up
The Apache core team added %{m}t to ErrorLogFormat, which logs timestamps with millisecond precision alongside the existing microsecond option. This gives operators a clearer picture of request latency without needing external monitoring tools that add their own overhead. Eric Covener fixed mod_include so conditional blocks stop printing if or else content when an evaluation fails, which keeps error pages from looking like broken HTML templates. A crash in mod_file_cache affecting mmaped files under threaded MPMs got squashed, and mod_unixd dropped a redundant effective user ID zero check that broke chroot setups on modern FreeBSD releases. The proxy healthcheck module also stops disabling itself during child process restarts, which prevents sudden backend failures when the main daemon reloads configuration.
Release Apache/httpd 2.4.68-rc1-candidate
2.4.68-rc1-candidate
Test this release candidate in a staging environment before rolling it out to anything that handles live traffic. The OpenSSL 4.0 support alone makes it worth the download, and the HTTP/2 handle leaks were exactly the kind of silent killers that break servers on weekends. Grab the source tarball or grab your distro package when it hits stable, and keep an eye on the error logs during the first few hours after deployment.
