[Info-vax] Compaq Secure Web Server (Apache) problem

[Stephen Hoffman]

On 2020-10-15 10:59:06 +0000, Jairo Alves said:

> Dear Hoff,
> 
> I understand you imply I should just upgrade CSWS to VSI's CSWS 
> version, is that correct?

You're on a dead-end OpenVMS version from a vendor that's ending their 
new-patch support in less than three months and exceedingly unlikely to 
release an updated Apache, and you're running with an Apache 
configuration and a TLS configuration both known to have security 
issues, and the only path to newer software and to newer patches is by 
acquiring VSI OpenVMS and VSI Apache port and related. 😫

VSI SSL111 is the current kit and the first with TLSv1.3 support and 
based on the version of OpenSSL that's currently getting patches and 
updates and mitigations from upstream. SSL1 and SSL are not, and lack 
TLSv1.3.  And the version of Apache 2.0 offered by HPE is equally dicy. 
 The VSI port is based on Apache 2.4, and offers TLSv1.3.  This all on 
VSI OpenVMS V8.4-2L1, or variously later.

>> If you want to wade through this, verify the Apache configuration file, ...
>> 
>> apachectl configtest
> 
> This is the output I get from configtest:
> 
>    httpd configtest
>    [Thu Oct 15 07:52:56 2020] [crit] (57)socket is not connected  : 
> alloc_listener: failed to get a socket for 0.0.0.0
>    Syntax error on line 14 of /apache$root/000000/conf/httpd.conf:
>    Listen setup failed
> 
> So I looked it up, line 14:
> 
>    Listen 80
> 
> Weel, I guess the "failed to get a socket" is preventing Apache from 
> starting to listen. But from that, I'm not sure where to look into.

That can mean there's something still hanging onto that port. Try 
altering that file and temporarily listening on TCP port 8080 as a 
quick test, for instance.

If port 8080 works and port 80 does not, figure out what's holding TCP 
port 80. Either parts of a previous Apache run left dangling, or some 
other LP.

Or reboot the box. Yes, I know that's sacrilege around (some) OpenVMS 
folks. But it's also a fast test, and (usually) a fast way to clear off 
anything dangling on TCP Port 80. Barring an app that grabs TCP port 80.

Some versions of Apache were sensitive to file formats and required the 
stream LF file organization. No, I don't recall off-hand which 
versions, and I'm not running anything as old as that Apache and V8.4.

See if switching the file to Stream LF resolves that, if the 
configuration file is not already Stream LF.

And as mentioned above, this whole configuration is far past its 
sell-by date, whether your management wants to hear that or not.

Yeah, I'm not sure what to do with SMH, if you really need that. That's 
unlikely to be provided by VSI. VSI WebUI, maybe? And again, there are 
some wonderful SMH attacks available for versions as far back as 
OpenVMS is running.



-- 
Pure Personal Opinion | HoffmanLabs LLC