Topic: Apache 2.2.14

[motosport]

I'm running the latest version of Apache as downloaded from this site, and I had a question about mod_ssl. We use a external scanning vendor to allow us to carry a trust mark and be PCI compliant.

Our scanning vendor recently reported this vulnerability:

"Medium Priority"
mod_ssl version is out of date.
In mod_ssl before 2.8.24, using the 'SSLVerifyClient optional' allows a remote attackers to bypass the intended access restrictions.

I see that the build of Apache has the following attributes:

Server Version: Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k
Server Built: Sep 29 2009 19:29:00

Am I missing something here, or is the version of mod_ssl that ships with this build of Apache grossly out of date? Does anyone know how to update the mod_ssl version in the build manually?

Thanks!


Rob
motosport.com

[James Blond]

OpenSSL 0.9.8k is the latest stable version of OpenSSL you can get. There is also OpenSSL 1.0.0 but that is still a beta versionand not for productive servers.

[motosport]

It's actually the version of mod_ssl that I am asking about, not the OpenSSL version.

Thanks!

Rob

[James Blond]

Sure, mod_ssl is using OpenSSL inside and the 2.2.14 source is the latest source for mod_ssl within apache 2.2.14
The mod_ssl 2.8.24 from modssl.org belongs to apache 1.3.

You can be sure that all the bug "'SSLVerifyClient optional" a fixed in Apache 2.2.14 and the shipped mod_ssl

[motosport]

Thanks for your clarification. I reported this as a false positive to our scanning vendor. I'll wait to hear what they have to say.

Thanks Again!

Rob