httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Hübner <>
Subject [users@httpd] disable to responded to an unrequested SSL Certificate
Date Tue, 30 Sep 2008 12:14:51 GMT
Hi List,

costumer did a nessus pci-scan to fit worldpay requirements. Result was a 
security risk at ssl section:

Family: Remote Shell Access Critical 443/tcp 11875
The remote host responded to an unrequested SSL Certificate. The remote SSL 
server should have
sent back an Error message. This may indicate that the server is vulnerable 
to a remote
flaw in the way that it handles unrequested certificates. You should 
manually inspect the
SSL Server's configuration

In my httpd.conf i have:

    SuexecUserGroup user  user
    DocumentRoot /www/htdocs/user/
    php_admin_value open_basedir 
    ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/"
    SSLEngine on
    SSLCertificateFile /path/to/
    SSLCertificateKeyFile /path/to/
    SSLCACertificateFile /path/to/
    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

Is there a possibility to send this error when requested the ssl-connection 
with wrong hostname. Did not found really fitting options.
Thank your for hints etc.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message