Post by Jairo AlvesDear Hoff,
I understand you imply I should just upgrade CSWS to VSI's CSWS version, is that correct?
You're on a dead-end OpenVMS version from a vendor that's ending their
new-patch support in less than three months and exceedingly unlikely to
release an updated Apache, and you're running with an Apache
configuration and a TLS configuration both known to have security
issues, and the only path to newer software and to newer patches is by
acquiring VSI OpenVMS and VSI Apache port and related. 😫
VSI SSL111 is the current kit and the first with TLSv1.3 support and
based on the version of OpenSSL that's currently getting patches and
updates and mitigations from upstream. SSL1 and SSL are not, and lack
TLSv1.3. And the version of Apache 2.0 offered by HPE is equally dicy.
The VSI port is based on Apache 2.4, and offers TLSv1.3. This all on
VSI OpenVMS V8.4-2L1, or variously later.
Post by Jairo AlvesPost by Stephen HoffmanIf you want to wade through this, verify the Apache configuration file, ...
apachectl configtest
httpd configtest
alloc_listener: failed to get a socket for 0.0.0.0
Listen setup failed
Listen 80
Weel, I guess the "failed to get a socket" is preventing Apache from
starting to listen. But from that, I'm not sure where to look into.
That can mean there's something still hanging onto that port. Try
altering that file and temporarily listening on TCP port 8080 as a
quick test, for instance.
If port 8080 works and port 80 does not, figure out what's holding TCP
port 80. Either parts of a previous Apache run left dangling, or some
other LP.
Or reboot the box. Yes, I know that's sacrilege around (some) OpenVMS
folks. But it's also a fast test, and (usually) a fast way to clear off
anything dangling on TCP Port 80. Barring an app that grabs TCP port 80.
Some versions of Apache were sensitive to file formats and required the
stream LF file organization. No, I don't recall off-hand which
versions, and I'm not running anything as old as that Apache and V8.4.
See if switching the file to Stream LF resolves that, if the
configuration file is not already Stream LF.
And as mentioned above, this whole configuration is far past its
sell-by date, whether your management wants to hear that or not.
Yeah, I'm not sure what to do with SMH, if you really need that. That's
unlikely to be provided by VSI. VSI WebUI, maybe? And again, there are
some wonderful SMH attacks available for versions as far back as
OpenVMS is running.
--
Pure Personal Opinion | HoffmanLabs LLC