mod_ssl 2.8.31 PCI problem

Tony Miller tmiller at thehawkeye.com
Mon Jun 11 18:40:51 PDT 2012 

All,

Thanks. I told them they must be confused. I was using 2.2.22 and this issue is with 1.3.41. 

I do have a test machine at home, but not one set up at work yet. Need a box to do that with. 

I'll have a look at the ssllabs site (Thanks Daniel). 

I thought I was right about my assessment of the bug, but I knew the people here would know. 

Macports is fabulous. It is the best, easiest method I've found to stay updated and keep up with the PCI gauntlet. 

Tony Miller
tmiller at thehawkeye.com

On Jun 11, 2012, at 5:19 PM, Daniel J. Luke wrote:

> On Jun 11, 2012, at 6:01 PM, Tony Miller wrote:
>> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, which is the current installed version. 
> 
> You probably need more information from your security vendor (maybe a CVE id?)
> 
> I didn't see anything with a quick look at http://httpd.apache.org/security/vulnerabilities_22.html
> 
>> I've run the port upgrade outdated recently and retested, but it didn't change the mod_ssl version.
> 
> mod_ssl comes with apache2, apache 2.2.22 is the latest current verison of apache 2.2.x (MacPorts will eventually be moving to apache 2.4.x)
> 
>> I've downloaded the source from http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz, but am not that comfortable installing outside MacPorts yet.
> 
> That's for Apache 1.3.41, so it's not useful to you anyway...
> 
>> This machine is in production so I can't experiment on it. I'm not that brave/stupid at this point. 
> 
> You should have a non-production machine that you can test/experiment with :)
> 
>> I don't see any tickets on this so thought I'd start here first. 
> 
> 
> Depending on what your security vendor says is the problem, you may be able to just change some apache/mod_ssl configuration parameters to pass the audit.
> 
> This tester may help you identify any issues if your security vendor doesn't have information for you: https://www.ssllabs.com/ssltest/index.html
> 
> They have a 'best practices' guide available as well: https://www.ssllabs.com/projects/best-practices/index.html
> 
> None of this is macports-specific, though :)
> --
> Daniel J. Luke                                                                   
> +========================================================+                        
> | *---------------- dluke at geeklair.net ----------------* |                          
> | *-------------- http://www.geeklair.net -------------* |                          
> +========================================================+                        
> |   Opinions expressed are mine and do not necessarily   |                          
> |          reflect the opinions of my employer.          |                          
> +========================================================+
> 
> 
>

More information about the macports-users mailing list