On Fri, Nov 20, 1998, Whit Blauvelt wrote:
> Hopefully Dan Roscigno's account is correct, and RSA will be satisfied as
> long as one has a license for a commercial product such as Red Hat's
> (which comes with that $25 Thwate discount too - so the price is quite
> reasonable).
>
> Meanwhile, folks may wish to note the Apache "ServerTokens" directive,
> which when set to "min" or "os" (in httpd.conf) will cause Apache to not
> send information on the installed modules with every HTTP request, instead
> just announcing itself as "Apache 1.3.3" or "Apache 1.3.3 (Unix),"
> respectively. With all respect to the good name of module authors, and
> their generous contributions, giving away details on your installation
> beyond the minimum is bad security practice anyway.
>
> Are there other steps that should be taken if one - having a valid RSA
> license but wanting to avoid inviting trouble about it - should take to be
> sure one's signature is not giving off notice of the exact configuration
> being run? Should, for instance, certain protocols not be enabled in an
> application to avoid the remote deduction of the precise configuration
> being run?
Perhaps you also want to disable mod_info...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
