httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Hübner <andre.hueb...@gmx.de>
Subject [users@httpd] disable to responded to an unrequested SSL Certificate
Date Tue, 30 Sep 2008 12:14:51 GMT
Hi List,

costumer did a nessus pci-scan to fit worldpay requirements. Result was a 
security risk at ssl section:

Family: Remote Shell Access Critical 443/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote SSL 
server should have
sent back an Error message. This may indicate that the server is vulnerable 
to a remote
flaw in the way that it handles unrequested certificates. You should 
manually inspect the
SSL Server's configuration



In my httpd.conf i have:

<VirtualHost ip.ad.re.ss:443>
    SuexecUserGroup user  user
    Serveradmin webmaster@hostname.com
    DocumentRoot /www/htdocs/user/
    ServerName www.hostname.com
    php_admin_value open_basedir 
/www/htdocs/user/:/tmp:/usr/bin:/www/htdocs/user:/bin:/usr/local/bin:/usr/share/php
    ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/"
    SSLEngine on
    SSLCertificateFile /path/to/SSL2_www.hostname.com.crt
    SSLCertificateKeyFile /path/to/SSL2_www.hostname.com.key
    SSLCACertificateFile /path/to/SSL2_www.hostname.com.bundle.crt
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
</VirtualHost>

Is there a possibility to send this error when requested the ssl-connection 
with wrong hostname. Did not found really fitting options.
Thank your for hints etc.
Andre


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message