Hi List,costumer did a nessus pci-scan to fit worldpay requirements. Result was a security risk at ssl section:
Family: Remote Shell Access Critical 443/tcp 11875 Description:The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the
SSL Server's configuration In my httpd.conf i have: <VirtualHost ip.ad.re.ss:443> SuexecUserGroup user user Serveradmin webmaster@xxxxxxxxxxxx DocumentRoot /www/htdocs/user/ ServerName www.hostname.comphp_admin_value open_basedir /www/htdocs/user/:/tmp:/usr/bin:/www/htdocs/user:/bin:/usr/local/bin:/usr/share/php
ScriptAlias /cgi-bin/ "/www/htdocs/user/cgi-bin/" SSLEngine on SSLCertificateFile /path/to/SSL2_www.hostname.com.crt SSLCertificateKeyFile /path/to/SSL2_www.hostname.com.key SSLCACertificateFile /path/to/SSL2_www.hostname.com.bundle.crt SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>Is there a possibility to send this error when requested the ssl-connection with wrong hostname. Did not found really fitting options.
Thank your for hints etc. Andre --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|