Guys,
While I appreciate the vibrant discussion, I was not asking for the pros and cons of hiding the header information, whether or not one feels it promotes security, and whether one believes meddling with this makes one a geek or not. In many people's desire to announce their opinion on the matter, the question was ignored. Your thoughts are much appreciated, but I need a technical answer.
My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)?
Is there a line I can add to a conf file?
Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information?
Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed? In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made.
Thanks in advance,
Scott
- Re: Hiding headers for OpenSSL Scott Campbell
- Re: Hiding headers for OpenSSL Bernhard Froehlich
- Re: Hiding headers for OpenSSL Scott Campbell
- RE: Hiding headers for OpenSSL Diffenderfer, Randy
