I would probably consider the publishing of the openssl version on the web server announcment message as a security issue.
Randy -----Original Message----- From: [EMAIL PROTECTED] on behalf of Marek Marcola Sent: Thu 8/10/2006 2:45 PM To: openssl-users@openssl.org Subject: Re: CHecking the version of OpenSSL Hello, > Does anyone know how to externally check what version of OpenSSL is > running a server? I mean without connecting to the server via the > shell but perhaps by a browser and checking the headers? If we are talking about HTTP servers then sometimes this information MAY be available in Server: tag. For example: $ telnet www.itrc.hp.com 80 Trying... Connected to itrc.hp.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 500 Internal Server Error Date: Thu, 10 Aug 2006 21:41:02 GMT Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e <-- HERE Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host. But ... this may be not available or may be not true if remote server administrator set value of this tag manually with some arbitrary string. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
