I have only used the Apache HTTP Server on Windows for a couple of years since I mostly use Linux.

Until now I have downloaded the binaries from the Apache Software Foundation or one of its mirrors.

I have been missing the latest releases (2.2.23 and 2.2.24). First I thought that the reason they were not available was because the CVE was not relevant for Windows 🙂

After checking up on this I found that the Apache Software Foundation (ASF) has never supplied binaries for Windows.

The binaries was provide by a third-party. I do not know who, but they have stopped supplying them.

ASF has some mail lists and there it was suggested to get the binaries from http://www.apachelounge.com.
I have checked the site out and it looks safe. It have existed in years and have forums with thousands of users. Google did not reports any problems with them.

I have downloaded version 2.2.24 and installed it on a couple of servers. It works fine and https://www.ssllabs.com/ssltest does not report the servers as vulnerable to the CRIME attack anymore and they get an A rating 🙂

You can switched from “ASF” binaries to apachelounge via:

• Backup the current installation.
• Uninstall httpd and delete the Apache directory.
• Unzip httpd-2.2.24-win32-ssl_0.9.8.zip and copy the content of the Apache2 directory to the location of the old installation.
• Delete the conf directory and replace it with your old conf. Since we have placed it the same place you do not have to change anything else.
• Install the Windows service via httpd.exe -k install.

The apachelounge.com looks to be mostly a one man show. There is no warranty for anything so if this is a concern you should probably compile httpd yourself.

They do provide PGP signatures and SHA1-SHA512 checksums so you can validate the downloads.

New releases are announced via Twitter @ApacheLounge.

This is an independent site so remember to make a donation if you like their service.