MANY production environments are still on RHEL 5.

Apache and openssl in rhel5 are too old to use IMO. People should upgrade.

Redhat applies critical security fixes for RHEL5 until 2020[1], and that's why people pay the money.

Yeah, it's old, outdated etc, but sometimes if something works it makes sense to stay on it.

[1] https://access.redhat.com/support/policy/updates/errata#Life...

The openssl 0.9.8 with Apache/2.2.3 combo only supports TLS 1.0. I couldn't setup TLS to get better than grade "B" on Qualys' SSL Server Test. I sacrificed MSIE on WinXP, used TLS 1.0 only, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA only, got a "B". I want Forward Secrecy only, AEAD only setup. Have to upgrade to RHEL6 for that.

Yes i totally agree .. nginx has very less memory footprint as well