logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.2.14
Author
motosport



Joined: 28 Oct 2009
Posts: 3
Location: Tualatin, OR

PostPosted: Wed 28 Oct '09 15:09    Post subject: Apache 2.2.14 Reply with quote

I'm running the latest version of Apache as downloaded from this site, and I had a question about mod_ssl. We use a external scanning vendor to allow us to carry a trust mark and be PCI compliant.

Our scanning vendor recently reported this vulnerability:

"Medium Priority"
mod_ssl version is out of date.
In mod_ssl before 2.8.24, using the 'SSLVerifyClient optional' allows a remote attackers to bypass the intended access restrictions.


I see that the build of Apache has the following attributes:

Server Version: Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k
Server Built: Sep 29 2009 19:29:00


Am I missing something here, or is the version of mod_ssl that ships with this build of Apache grossly out of date? Does anyone know how to update the mod_ssl version in the build manually?

Thanks!


Rob
motosport.com
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 28 Oct '09 15:45    Post subject: Reply with quote

OpenSSL 0.9.8k is the latest stable version of OpenSSL you can get. There is also OpenSSL 1.0.0 but that is still a beta versionand not for productive servers.
Back to top
motosport



Joined: 28 Oct 2009
Posts: 3
Location: Tualatin, OR

PostPosted: Wed 28 Oct '09 15:59    Post subject: mod_ssl not OpenSSL Reply with quote

It's actually the version of mod_ssl that I am asking about, not the OpenSSL version.

Thanks!

Rob
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 28 Oct '09 16:03    Post subject: Reply with quote

Sure, mod_ssl is using OpenSSL inside and the 2.2.14 source is the latest source for mod_ssl within apache 2.2.14
The mod_ssl 2.8.24 from modssl.org belongs to apache 1.3.

You can be sure that all the bug "'SSLVerifyClient optional" a fixed in Apache 2.2.14 and the shipped mod_ssl
Back to top
motosport



Joined: 28 Oct 2009
Posts: 3
Location: Tualatin, OR

PostPosted: Wed 28 Oct '09 16:34    Post subject: I will report this as a false positive Reply with quote

Thanks for your clarification. I reported this as a false positive to our scanning vendor. I'll wait to hear what they have to say.

Thanks Again!

Rob
Back to top


Reply to topic   Topic: Apache 2.2.14 View previous topic :: View next topic
Post new topic   Forum Index -> Apache