Apache 2.2.16 is currently the "best available version" of the HTTP Server. I made some changes to the source and need to recompile with OpenSSL. My question is, should I use OpenSSL 0.9.8o or OpenSSL 1.0.0a? The latter is a more recent, major release, but Apache couples HTTPD 2.2.16 with OpenSSL 0.9.8o in their binary offering. See "Win32 Binary including OpenSSL 0.9.8o (MSI Installer)" on the download page.
There is little to no documentation regarding Apache's decision here.
It seems best to use the same version of OpenSSL that was used with the original build of Apache that you are using. There is a small chance (probably very small but possibly non-zero) that there might be some dependency on the specific version of OpenSSL. For example, the change log does indicate there is at least one bug fix that could result in requiring a change if the application worked around it (search for "old buggy behaviour" on that change log page). I am only using this as an example; I have absolutely no idea if Apache even uses BIO_pop and BIO_push. But it is this type of thing that could cause difficulty if you change the versions without knowing more how it is used.
Note that the v0.9x versions of OpenSSL are real releases and in wide use. It shouldn't be an issue just because it pre-dates v1.x.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki