mod_ssl 2.8.31 PCI problem

Daniel J. Luke dluke at geeklair.net
Mon Jun 11 15:19:05 PDT 2012 

On Jun 11, 2012, at 6:01 PM, Tony Miller wrote:
> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, which is the current installed version. 

You probably need more information from your security vendor (maybe a CVE id?)

I didn't see anything with a quick look at http://httpd.apache.org/security/vulnerabilities_22.html

> I've run the port upgrade outdated recently and retested, but it didn't change the mod_ssl version.

mod_ssl comes with apache2, apache 2.2.22 is the latest current verison of apache 2.2.x (MacPorts will eventually be moving to apache 2.4.x)

> I've downloaded the source from http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz, but am not that comfortable installing outside MacPorts yet.

That's for Apache 1.3.41, so it's not useful to you anyway...

> This machine is in production so I can't experiment on it. I'm not that brave/stupid at this point. 

You should have a non-production machine that you can test/experiment with :)

> I don't see any tickets on this so thought I'd start here first. 


Depending on what your security vendor says is the problem, you may be able to just change some apache/mod_ssl configuration parameters to pass the audit.

This tester may help you identify any issues if your security vendor doesn't have information for you: https://www.ssllabs.com/ssltest/index.html

They have a 'best practices' guide available as well: https://www.ssllabs.com/projects/best-practices/index.html

None of this is macports-specific, though :)
--
Daniel J. Luke                                                                   
+========================================================+                        
| *---------------- dluke at geeklair.net ----------------* |                          
| *-------------- http://www.geeklair.net -------------* |                          
+========================================================+                        
|   Opinions expressed are mine and do not necessarily   |                          
|          reflect the opinions of my employer.          |                          
+========================================================+

More information about the macports-users mailing list