PCI Compliance-Help needed for Snow Leopard Server
Hello Everyone
I have been trying to sort this issue for the last three days and have exhausted all other avenues. I've searched through endless support forums and Googled myself senseless.
Quick bit of background. Our credit card merchant provider requires that our Web server undergo quarterly PCI compliance tests. In just one quarter since passing the last test, they conducted another one last week and our server failed on four major issues. Apache has to be updated to 2.2.16 or higher, PHP to 5.3.3, MySQL to 5.1.47 or higher and OpenSSL to version 1.0.0 or higher. FYI, my Snow Leopard server is fully up to date on 10.6.4 with all security updates applied.
I have managed to update everything to the required versions by compiling from source and I built Apache with SSL and used the OpenSSL 1.0.0a source libraries during the build for mod_ssl. However, the Apache identifying banner continues to read:
Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8l PHP/5.3.3
If I do a 'openssl version' on the server, I get 'OpenSSL 1.0.0a 1 Jun 2010'.
Also in the Apache log, I get this:
mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/1.0.0a
Does anyone have have any idea how to get the Apache banner to reflect OpenSSL 1.0.0a?
Any light you might be able to shed on this subject would be greatly appreciated.
Thanks
William Buckingham
I have been trying to sort this issue for the last three days and have exhausted all other avenues. I've searched through endless support forums and Googled myself senseless.
Quick bit of background. Our credit card merchant provider requires that our Web server undergo quarterly PCI compliance tests. In just one quarter since passing the last test, they conducted another one last week and our server failed on four major issues. Apache has to be updated to 2.2.16 or higher, PHP to 5.3.3, MySQL to 5.1.47 or higher and OpenSSL to version 1.0.0 or higher. FYI, my Snow Leopard server is fully up to date on 10.6.4 with all security updates applied.
I have managed to update everything to the required versions by compiling from source and I built Apache with SSL and used the OpenSSL 1.0.0a source libraries during the build for mod_ssl. However, the Apache identifying banner continues to read:
Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8l PHP/5.3.3
If I do a 'openssl version' on the server, I get 'OpenSSL 1.0.0a 1 Jun 2010'.
Also in the Apache log, I get this:
mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/1.0.0a
Does anyone have have any idea how to get the Apache banner to reflect OpenSSL 1.0.0a?
Any light you might be able to shed on this subject would be greatly appreciated.
Thanks
William Buckingham
MacBook Pro 2.66 GHz, Intel Core i7, 4 GB RAM, Mac OS X (10.6.4)
