Hopefully Dan Roscigno's account is correct, and RSA will be satisfied as long as one has a license for a commercial product such as Red Hat's (which comes with that $25 Thwate discount too - so the price is quite reasonable). Meanwhile, folks may wish to note the Apache "ServerTokens" directive, which when set to "min" or "os" (in httpd.conf) will cause Apache to not send information on the installed modules with every HTTP request, instead just announcing itself as "Apache 1.3.3" or "Apache 1.3.3 (Unix)," respectively. With all respect to the good name of module authors, and their generous contributions, giving away details on your installation beyond the minimum is bad security practice anyway. Are there other steps that should be taken if one - having a valid RSA license but wanting to avoid inviting trouble about it - should take to be sure one's signature is not giving off notice of the exact configuration being run? Should, for instance, certain protocols not be enabled in an application to avoid the remote deduction of the precise configuration being run? \/\/ I-I I T Blauvelt [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
