Hi List,
costumer did a nessus pci-scan to fit worldpay requirements. Result was a
security risk at ssl section:
Family: Remote Shell Access Critical 443/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote SSL
server should have
sent back an Error message. This may indicate that the server is vulnerable
to a remote
flaw in the way that it handles unrequested certificates. You should
manually inspect the
SSL Server's configuration
In my httpd.conf i have:
<VirtualHost ip.ad.re.ss:443>
SuexecUserGroup user user
Serveradmin [EMAIL PROTECTED]
DocumentRoot /www/htdocs/user/
ServerName www.hostname.com
php_admin_value open_basedir
/www/htdocs/user/:/tmp:/usr/bin:/www/htdocs/user:/bin:/usr/local/bin:/usr/share/php
ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/"
SSLEngine on
SSLCertificateFile /path/to/SSL2_www.hostname.com.crt
SSLCertificateKeyFile /path/to/SSL2_www.hostname.com.key
SSLCACertificateFile /path/to/SSL2_www.hostname.com.bundle.crt
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Is there a possibility to send this error when requested the ssl-connection
with wrong hostname. Did not found really fitting options.
Thank your for hints etc.
Andre
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
