Apache 2.2 end of life

Does anyone know when the end of life date will be for Apache 2.2.x? Judging from historical patterns, I'm guessing in 2016 or 2017 (both 1.3 and 2.0 were between 11 and 12 years, and 2.2 came out in 2005).

I was hoping to find something authoritative such as a planned end of life date or a minimum committed end of life date (i.e. the Apache Software Foundation guarantees it will be supported until at least 20##), but I couldn't find anything online other than what's happened historically.

See table on https://en.wikipedia.org/?title=Apache_HTTP_Server#Development for historical release and EOL dates.


Solution 1:

Apache is open source software, which means that is can be maintained by anyone interested in doing this.

Also, Apache is a vital part of every Linux distributions, from which eg. RHEL / CentOS / Oracle Linux 6.x has Apache 2.2 and will be supported up to November 2020. And each distribution maintainers patch bugs in Apache (and other software packages) on their own.

So, the date of REAL end of life for Apache 2.2 is unpredictable.

Solution 2:

Although there is no official end-of-life for Apache 2.2, there are a few measures you can use to determine an appropriate transition time, namely:

  • Feature support (often via modules, e.g. modssl)
  • Adherence to current standards (e.g., TLSv1.2)
  • Availability (back-porting) of bug-fixes
  • Timeliness of security updates (e.g., logjam)

From my perspective, several of these lines have been crossed in the past few years. Specifically, Apache 2.2 with modssl does not have a fix for the logjam vulnerability yet, but Apache 2.4 has had this for some time now.

A few years ago, SNI support was slow to come to Apache 2.2 - it was an Apache 2.4 feature back-ported via an unofficial patch for a long time.

I've been using Apache 2.2 for years, and only decided to begin making the transition to 2.4 a few months ago (one of our servers had an additional SSL requirement that only Apache 2.4 can currently satisfy) so we currently have some 2.2 servers, some 2.4. Ultimately I only want to support a single server stack. Your reasons may vary, but these were the important points for making my decision.

Solution 3:

From http://www.apache.org/dist/httpd/Announcement2.4.html:

Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017. Minimal maintenance patches of 2.2.x are expected throughout this period, and users are strongly encouraged to promptly complete their transitions to the the 2.4.x flavor of httpd to benefit from a much larger assortment of minor security and bug fixes as well as new features.