Scott Campbell wrote:
The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible.
It sounds as if you're approaching this in a bass-ackwards way. First - fix the false positives in your vulnerability reporting. Second - the bid for security through obscurity in not reporting the version number seems misguided to me. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
