DevHeads.net

Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Our production apache http 2.4.37 server running with openssl 1.1.1a have been getting hit with qualys scans like clockwork and every time our CPU goes to 100% and after more scans to 200% CPU. After reading the bug reports I upgraded to 2.4.38 which made no difference. I then upgraded to the latest stable version httpd 2.4.41 and ran with the latest stable openssl v1.1.1c and get the same issue.

I also tried configuring TLS from tlsv 1.2 and tlsv1.3 to only tlsv1.2 and still have 100% cpu after 1 qualy community scan
I also tried to deny service with SSLRequire on the IPs 64.39.103, 64.39.99, 64.39.111 and also RequireAll and trying combinations but nothing stops the 100% CPU so far.

The qualys scan is repeatable and I'm using standard configurations and builds on RedHat Linux, although an older Red Hat Enterprise Linux Server release 5.11 (Tikanga).
apr-1.6.5
expat-2.2.6
apr-util-1.6.1
pcre-8.42
openssl_1.1.1a, httpd 2.4.37, 2.4.38
openssl_1.1.1c, httpd 2.4.41

./configure --prefix=/vendor/apache/2.4.41 --with-pcre=/vendor/apache/pcre-8.42 --with-ssl=/vendor/apache/openssl_1.1.1c --with-z=/vendor/apache/zlib-1.2.11 --enable-ssl --enable-shared --enable-deflate --enable-mime --enable-dbd --enable-socache-shmcb --with-apr= /vendor/apache/apr-1.6.5 --with-apr-util=/vendor/apache/apr-util-1.6.1

Tried but failed, trying combinations:
<Directory / >
Options FollowSymLinks
AllowOverride None
<RequireAll>
Require all denied
Require not ip 64.39.111
Require not ip 64.39.103
Require not ip 64.39.99
</RequireAll>
</Directory>

Thanks & Regards,
Bob

Bob Hathaway
Advanced Architect
Mphasis | Memphis
robert. ... at mphasis dot com<mailto:robert. ... at mphasis dot com>
www.mphasis.com<http://www.mphasis.com/>
Mobile: 201-390-7602
Office: 901-263-5805
[Updated Logo]

Information transmitted by this e-mail is proprietary to Mphasis, its associated companies and/ or its customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at <a href="mailto: ... at mphasis dot com"> ... at mphasis dot com</a> and delete this mail from your records.