mod_ssl 2.8.31 PCI problem

Daniel J. Luke dluke at
Mon Jun 11 15:19:05 PDT 2012

On Jun 11, 2012, at 6:01 PM, Tony Miller wrote:
> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, which is the current installed version. 

You probably need more information from your security vendor (maybe a CVE id?)

I didn't see anything with a quick look at

> I've run the port upgrade outdated recently and retested, but it didn't change the mod_ssl version.

mod_ssl comes with apache2, apache 2.2.22 is the latest current verison of apache 2.2.x (MacPorts will eventually be moving to apache 2.4.x)

> I've downloaded the source from, but am not that comfortable installing outside MacPorts yet.

That's for Apache 1.3.41, so it's not useful to you anyway...

> This machine is in production so I can't experiment on it. I'm not that brave/stupid at this point. 

You should have a non-production machine that you can test/experiment with :)

> I don't see any tickets on this so thought I'd start here first. 

Depending on what your security vendor says is the problem, you may be able to just change some apache/mod_ssl configuration parameters to pass the audit.

This tester may help you identify any issues if your security vendor doesn't have information for you:

They have a 'best practices' guide available as well:

None of this is macports-specific, though :)
Daniel J. Luke                                                                   
| *---------------- dluke at ----------------* |                          
| *-------------- -------------* |                          
|   Opinions expressed are mine and do not necessarily   |                          
|          reflect the opinions of my employer.          |                          

More information about the macports-users mailing list