Apache Friends Support Forum

[pylonx]

Hello Friends.

I work for a small outdoor retailer where I'm lucky enough to build internal web apps that benefit different departments.

We recently updated my Web Servers that are set up on the intranet, not for public use. I updated to XAMPP 5.6.8.

We have a company that scans our systems to make sure we are compliant, PCI and otherwise. This company keeps telling us my internal web server has vulnerabilities, specifically with openssl and needing a "server certificate signed with a public key length of at least 2048 bits".

XAMPP 5.6.8 is using openssl 1.0.1l
viewtopic.php?f=16&t=70653

But openssl 1.0.1l has vulnerabilities.
https://web.nvd.nist.gov/view/vuln/sear ... ssl:1.0.1l

I would like to try to update openssl on my server to either 1.0.1m or 1.0.2a but I have no idea where to start. I've googled with little luck.

Could someone help point me in the right direction? I'd Appreciate it!

[glitzi85]

You would have to recompile Apache from source to do that.

There is an build available at Apachelounge using 1.0.1m: http://www.apachelounge.com/viewtopic.php?p=29713

Code: Select all

- Stop Apache
- Rename the apache folder in xampp to apache.old
- Download zip: http://www.apachelounge.com/download/VC11/binaries/httpd-2.4.12-win32-VC11.zip
- Copy the Apache24 directory from the zip to xampp and rename it to apache
- delete apache\config and copy apache.old\config to apache\
- copy libssh2.dll from apache.old\bin\ to apache\bin\
- Restart Apache
- Optionally copy the batch-files from old to new (they are not needed for the operation of Apache)

Of course you still have to generate new Certificates to pass your compliance check.

[gsmith]

Forget 1.0.2 for now, I'm not going to get into the "why".

But for OpenSSL 1.0.1m you can use Openssl-1.0.1m-update-2.4.12-x86-vc11.zip from
https://www.apachehaus.com/cgi-bin/down ... x#OSSLUP24

Follow the instructions carefully in the readme.1st.txt file, especially about backing up the files you will be replacing first!

You do not have to worry about the apr_crypto_openssl.dll file since it was not included in your Xampp.

This particular CVE you have pointed out is simply a DOS, rated Moderate, it'll crash Apache. There seems to be no remote code execution exploitable vector. There are probably bigger fish to fry in your ssl config (< 2048 bit key, disabling SSLv3, not using old CBC ciphers, etc.). 1.0.1m removed all Export ciphers, SSLv2 was disabled long ago in Apache 2.4 so that's a plus.

I can't believe they are nagging you on an internal only, non-internet facing development computer. Sounds like security theater.

[pylonx]

Thank You, Both!

I have multiple servers so I will try both ways to update