Dear All,
The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)?
The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible.
In Apache, you can modify the information sent to almost anything. We disable such broadcasting, and I was hoping you can do the same with OpenSSL.
Thank you in advance,
Scott
- Hiding headers for OpenSSL Scott Campbell
- Re: Hiding headers for OpenSSL Michael Sierchio
- RE: Hiding headers for OpenSSL David Schwartz
- RE: Hiding headers for OpenSSL David Schwartz
- RE: Hiding headers for OpenSSL Marek Marcola
- Re: Hiding headers for OpenSSL Thomas J. Hruska
- Re: Hiding headers for OpenSSL Thomas J. Hruska
- RE: Hiding headers for OpenSSL David Schwartz
- RE: Hiding headers for OpenSSL Steve . Pauly
- Re: Hiding headers for OpenSSL Thomas J. Hruska
- Re: Hiding headers for Open... William A. Rowe, Jr.
