mod_ssl 2.8.31 PCI problem
Daniel J. Luke
dluke at geeklair.net
Mon Jun 11 15:19:05 PDT 2012
On Jun 11, 2012, at 6:01 PM, Tony Miller wrote:
> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, which is the current installed version.
You probably need more information from your security vendor (maybe a CVE id?)
I didn't see anything with a quick look at http://httpd.apache.org/security/vulnerabilities_22.html
> I've run the port upgrade outdated recently and retested, but it didn't change the mod_ssl version.
mod_ssl comes with apache2, apache 2.2.22 is the latest current verison of apache 2.2.x (MacPorts will eventually be moving to apache 2.4.x)
> I've downloaded the source from http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz, but am not that comfortable installing outside MacPorts yet.
That's for Apache 1.3.41, so it's not useful to you anyway...
> This machine is in production so I can't experiment on it. I'm not that brave/stupid at this point.
You should have a non-production machine that you can test/experiment with :)
> I don't see any tickets on this so thought I'd start here first.
Depending on what your security vendor says is the problem, you may be able to just change some apache/mod_ssl configuration parameters to pass the audit.
This tester may help you identify any issues if your security vendor doesn't have information for you: https://www.ssllabs.com/ssltest/index.html
They have a 'best practices' guide available as well: https://www.ssllabs.com/projects/best-practices/index.html
None of this is macports-specific, though :)
Daniel J. Luke
| *---------------- dluke at geeklair.net ----------------* |
| *-------------- http://www.geeklair.net -------------* |
| Opinions expressed are mine and do not necessarily |
| reflect the opinions of my employer. |
More information about the macports-users