All, Thanks. I told them they must be confused. I was using 2.2.22 and this issue is with 1.3.41.
I do have a test machine at home, but not one set up at work yet. Need a box to do that with. I'll have a look at the ssllabs site (Thanks Daniel). I thought I was right about my assessment of the bug, but I knew the people here would know. Macports is fabulous. It is the best, easiest method I've found to stay updated and keep up with the PCI gauntlet. Tony Miller [email protected] On Jun 11, 2012, at 5:19 PM, Daniel J. Luke wrote: > On Jun 11, 2012, at 6:01 PM, Tony Miller wrote: >> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl >> 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22, which >> is the current installed version. > > You probably need more information from your security vendor (maybe a CVE id?) > > I didn't see anything with a quick look at > http://httpd.apache.org/security/vulnerabilities_22.html > >> I've run the port upgrade outdated recently and retested, but it didn't >> change the mod_ssl version. > > mod_ssl comes with apache2, apache 2.2.22 is the latest current verison of > apache 2.2.x (MacPorts will eventually be moving to apache 2.4.x) > >> I've downloaded the source from >> http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz, but am not that >> comfortable installing outside MacPorts yet. > > That's for Apache 1.3.41, so it's not useful to you anyway... > >> This machine is in production so I can't experiment on it. I'm not that >> brave/stupid at this point. > > You should have a non-production machine that you can test/experiment with :) > >> I don't see any tickets on this so thought I'd start here first. > > > Depending on what your security vendor says is the problem, you may be able > to just change some apache/mod_ssl configuration parameters to pass the audit. > > This tester may help you identify any issues if your security vendor doesn't > have information for you: https://www.ssllabs.com/ssltest/index.html > > They have a 'best practices' guide available as well: > https://www.ssllabs.com/projects/best-practices/index.html > > None of this is macports-specific, though :) > -- > Daniel J. Luke > > +========================================================+ > > | *---------------- [email protected] ----------------* | > > | *-------------- http://www.geeklair.net -------------* | > > +========================================================+ > > | Opinions expressed are mine and do not necessarily | > > | reflect the opinions of my employer. | > > +========================================================+ > > > _______________________________________________ macports-users mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
