Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 28591 invoked from network); 30 Sep 2008 12:16:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Sep 2008 12:16:35 -0000 Received: (qmail 27428 invoked by uid 500); 30 Sep 2008 12:16:24 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 27418 invoked by uid 500); 30 Sep 2008 12:16:24 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 27406 invoked by uid 99); 30 Sep 2008 12:16:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2008 05:16:24 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=FORGED_MUA_OUTLOOK,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of andre.huebner@gmx.de designates 213.165.64.20 as permitted sender) Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 30 Sep 2008 12:15:21 +0000 Received: (qmail invoked by alias); 30 Sep 2008 12:14:53 -0000 Received: from p54B534E0.dip0.t-ipconnect.de (EHLO platz17) [84.181.52.224] by mail.gmx.net (mp057) with SMTP; 30 Sep 2008 14:14:53 +0200 X-Authenticated: #1706803 X-Provags-ID: V01U2FsdGVkX191Gl99ABd1jj+n71SloyggnP/8TC9vU3ZS6e/854 BUaFiciuMvlBLk Message-ID: From: =?iso-8859-1?Q?Andre_H=FCbner?= To: Date: Tue, 30 Sep 2008 14:14:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.57 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] disable to responded to an unrequested SSL Certificate Hi List, costumer did a nessus pci-scan to fit worldpay requirements. Result was a security risk at ssl section: Family: Remote Shell Access Critical 443/tcp 11875 Description: The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the SSL Server's configuration In my httpd.conf i have: SuexecUserGroup user user Serveradmin webmaster@hostname.com DocumentRoot /www/htdocs/user/ ServerName www.hostname.com php_admin_value open_basedir /www/htdocs/user/:/tmp:/usr/bin:/www/htdocs/user:/bin:/usr/local/bin:/usr/share/php ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/" SSLEngine on SSLCertificateFile /path/to/SSL2_www.hostname.com.crt SSLCertificateKeyFile /path/to/SSL2_www.hostname.com.key SSLCACertificateFile /path/to/SSL2_www.hostname.com.bundle.crt SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Is there a possibility to send this error when requested the ssl-connection with wrong hostname. Did not found really fitting options. Thank your for hints etc. Andre --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org