Apache VCL logo Apache Software Foundation logo
Apache current event


Use the links below to download Apache VCL from one of our mirrors. You must verify the integrity of the downloaded files using signatures downloaded from our main distribution directory, not from a mirror.

Only current recommended releases are available on the main distribution site and its mirrors. Older releases are available from the archive download site.

Stable Release - Latest Version:

Previous Releases:


The currently selected mirror is https://dlcdn.apache.org/. If you encounter a problem with this mirror, please select another mirror. If all mirrors are failing, there are backup mirrors (at the end of the mirrors list) that should be available.

Other mirrors:

You may also consult the complete list of mirrors.

Verifying the integrity of the files

It is essential that you verify the integrity of the downloaded files using the GPG and SHA signatures. Security of the mirrors cannot be guaranteed, which means malicious code could be added to the downloads from the mirrors. By verifying the integrity of downloaded release files, you ensure they have not been tainted.

Run the following command to verify the SHA256 sum. You should get output similar to “apache-VCL-2.5.1.tar.bz2: OK”:

sha256sum -c apache-VCL-2.5.1.tar.bz2.sha256

Similarly, run the following command to verify the MD5 sum. It should give output similar to “apache-VCL-2.5.1.tar.bz2: OK”:

md5sum -c apache-VCL-2.5.1.tar.bz2.md5

To verify the GPG signature (you’ll need to have GnuPG installed):

  1. download and import the VCL KEYS file (if you’ve imported the KEYS file for previous releases, you do not need to import it again):

    gpg --import KEYS
  2. download the GPG Signature to the same location as the release file

  3. from the directory containing both the release file and the GPG signature, run

    gpg --verify apache-VCL-2.5.1.tar.bz2.asc

TSU Notification - Encryption

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country’s laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.

The following provides more details on the included cryptographic software:

The web and backend portions of the code utilize php and perl functions to encrypt password information stored in the database. The web code utilizes php functions to encrypt cookie information passed to and stored in users’ browsers. The backend code uses openssh to connect to and control deployed nodes. openssh heavily uses encryption.

Addionally, the web portion of the code includes portions of the phpseclib library. This library is only used for PHP versions not supporting the function “openssl_encrypt” (supported since PHP 5.3.0).


For new installs, visit the on-line installation guide:

Latest Version:

Previous Versions:


For upgrades, visit the on-line upgrade guide:

Upgrade to latest version:

Upgrade to 2.5

Upgrade to 2.4.2

Upgrade to 2.3.2

Upgrade to 2.2.2:

Upgrade really old versions to older versions:

to 2.3.1

to 2.3

to 2.2.1

to 2.2

Release Notes

See the release notes page for information about each release.

Change Log

See the change log page for changes made in each release.