Thursday, 24 July 2014

Compliance restored

Bad news.

I take credit cards via the internet, so I have to be compliant with the Payment Card Industry Data Security Standard. I'm not sure exactly what happens if I'm not - more than 80% of sites aren't, according to the last figures I saw. But I am. Or rather I was.

New vulnerabilities pop up all the time, and my Secure Server is tested once per month for all of a zillion vulnerabilities. I've been fine for the last couple of years, but my last scan turned up this. I'm not going to try to explain it, because I haven't tried to understand it myself. Except that it's a problem with OpenSSL, the thing that does the crypto stuff on a web server.

So to retain compliance, I have to update my web server.

I downloaded OpenSSL version 1.0.1h, and compiled it. So far, so good. Then I have to weave that into Apache, the web server. So I downloaded the latest version, 2.4.10, and that's when it got hairy. It wasn't obvious to me how to tell the Apache compile, to use the new OpenSSL, and I spent eight hours before I finally worked out all the problems. I did all this on my test server, of course, so that I didn't need to mess with my production server until everything was tickety-boo.

Some of the problems were, of course, pure stupidity on my part,. For example, when I configured Apache, I forgot to tell it to include the ssl files, and then I spent an hour trying to work out why it didn't respond to accesses to the secure server. And it wasn't obvious what to put in the Apache config file; I tried about ten different things before I finally got it right.

Here's the one that worked:

./configure --prefix=/usr/local/apache2.4.10 --enable-ssl --with-ssl=/usr/local/ssl \
--enable-module=most --disable-rewrite --enable-alias --disable-status \
--disable-asis --disable-autoindex --disable-imap \
--disable-negotiation --disable-actions --disable-userdir \
--with-apr=/usr/local/apr --enable-ssl-staticlib-deps

So then I tested it with

curl --head http://localhost/

and it came back with

HTTP/1.1 302 Found
Date: Thu, 24 Jul 2014 21:23:00 GMT
Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1h

which meant that it was using the new OpenSSL.

So then I told the people who do the monthly server test, to do a retest, and they did, and I'm compliant again.

Until the next time ...


  1. In my last job I was responsible for achieving DSS compliance. I feel your pain. :)

  2. You have my retrospective sympathy. The worst part was when I discovered that after all the effort I made to get complient, about 90% of card processors aren't.


    1. We were one of the "mostly compliant". My bosses viewed it as a project and couldn't understand why we never got there. Main reasons being 1. Moving of compliance goalposts 2. IT kit & OS (etc) changes. We were pretty good at regular scans though.

  4. That's like being "partly pregnant".

    "Mostly compliant" means "not compliant"!

    1. It was a very long gestation indeed :)