Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.
Thank you openssl list, and to all those who provided helpful feedback.
Sincerely,
Scott
On 8/22/06, Bernhard Froehlich <[EMAIL PROTECTED]> wrote:
Scott Campbell wrote:
> [...]
> My question is (rephrased), if possible, how can I hide the
> headers in OpenSSL from being broadcast to software running
> rudimentary security scans (e.g., Nessus)?
> Is there a line I can add to a conf file?
> Is preventing the broadcast of software, version, and OS through
> Apache all I need to do to prevent people from seeing that information?
>
> Last (though new) question: I thought that OpenSSL does not pass
> header information back and forth to the client when establishing a
> secure connection, but in fact, only certificate authenticating is
> performed? In other words, the client (however legitimate) doesn't
> need to know the header information of my OpenSSL; if the certificate
> is authenticated, the connection is made.
>
> Thanks in advance,
> Scott
Looks like you missed Lutz' mail, since he (IMHO) answers your questions:
> This discussion is useless:
> * OpenSSL does not disclose its version to attackers coming from the
> network as the SSL/TLS protocol does not give any version information
> of the software used (it does give protocol compatibility information
> needed for interoperability wrt SSLv2, SSLv3 etc)
> * It is the application using OpenSSL (in this case Apache) disclosing
> the information.
> -> Please complain to the Apache people.
> * Both projects OpenSSL and Apache are Open Source projects. If you find
> anything about it annoying please feel free to make any modification
> you want.
>
I might add the following: There is a configuration option of Apache
which allows you to customize the reported version string in the HTTP
headers, but I just don't remember its name.
If that is not flexible enough (and I remember it correctly) the
responsible part of the Apache source code is not hard to find either. ;)
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
--
Scott Campbell
[EMAIL PROTECTED]
"Listen to the mustn'ts, child..."
