I take credit cards via the internet, so I have to be compliant with the Payment Card Industry Data Security Standard. I'm not sure exactly what happens if I'm not - more than 80% of sites aren't, according to the last figures I saw. But I am. Or rather I was.
New vulnerabilities pop up all the time, and my Secure Server is tested once per month for all of a zillion vulnerabilities. I've been fine for the last couple of years, but my last scan turned up this. I'm not going to try to explain it, because I haven't tried to understand it myself. Except that it's a problem with OpenSSL, the thing that does the crypto stuff on a web server.
So to retain compliance, I have to update my web server.
I downloaded OpenSSL version 1.0.1h, and compiled it. So far, so good. Then I have to weave that into Apache, the web server. So I downloaded the latest version, 2.4.10, and that's when it got hairy. It wasn't obvious to me how to tell the Apache compile, to use the new OpenSSL, and I spent eight hours before I finally worked out all the problems. I did all this on my test server, of course, so that I didn't need to mess with my production server until everything was tickety-boo.
Some of the problems were, of course, pure stupidity on my part,. For example, when I configured Apache, I forgot to tell it to include the ssl files, and then I spent an hour trying to work out why it didn't respond to accesses to the secure server. And it wasn't obvious what to put in the Apache config file; I tried about ten different things before I finally got it right.
Here's the one that worked:
./configure --prefix=/usr/local/apache2.4.10 --enable-ssl --with-ssl=/usr/local/ssl \
--enable-module=most --disable-rewrite --enable-alias --disable-status \
--disable-asis --disable-autoindex --disable-imap \
--disable-negotiation --disable-actions --disable-userdir \
So then I tested it with
curl --head http://localhost/
and it came back with
HTTP/1.1 302 Found
Date: Thu, 24 Jul 2014 21:23:00 GMT
Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1h
which meant that it was using the new OpenSSL.
So then I told the people who do the monthly server test, to do a retest, and they did, and I'm compliant again.
Until the next time ...