You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andre Hübner <an...@gmx.de> on 2008/09/30 14:14:51 UTC
[users@httpd] disable to responded to an unrequested SSL Certificate
Hi List,
costumer did a nessus pci-scan to fit worldpay requirements. Result was a
security risk at ssl section:
Family: Remote Shell Access Critical 443/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote SSL
server should have
sent back an Error message. This may indicate that the server is vulnerable
to a remote
flaw in the way that it handles unrequested certificates. You should
manually inspect the
SSL Server's configuration
In my httpd.conf i have:
<VirtualHost ip.ad.re.ss:443>
SuexecUserGroup user user
Serveradmin webmaster@hostname.com
DocumentRoot /www/htdocs/user/
ServerName www.hostname.com
php_admin_value open_basedir
/www/htdocs/user/:/tmp:/usr/bin:/www/htdocs/user:/bin:/usr/local/bin:/usr/share/php
ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/"
SSLEngine on
SSLCertificateFile /path/to/SSL2_www.hostname.com.crt
SSLCertificateKeyFile /path/to/SSL2_www.hostname.com.key
SSLCACertificateFile /path/to/SSL2_www.hostname.com.bundle.crt
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Is there a possibility to send this error when requested the ssl-connection
with wrong hostname. Did not found really fitting options.
Thank your for hints etc.
Andre
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disable to responded to an unrequested SSL Certificate
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Sep 30, 2008 at 2:14 PM, Andre Hübner <an...@gmx.de> wrote:
> In my httpd.conf i have:
> SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
Why do you have these options? Do you have SSL authentication configured?
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org