Scott Campbell wrote:
[...]My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)?Is there a line I can add to a conf file?Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information?Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed? In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made.Thanks in advance, Scott
Looks like you missed Lutz' mail, since he (IMHO) answers your questions:
I might add the following: There is a configuration option of Apache which allows you to customize the reported version string in the HTTP headers, but I just don't remember its name. If that is not flexible enough (and I remember it correctly) the responsible part of the Apache source code is not hard to find either. ;)This discussion is useless: * OpenSSL does not disclose its version to attackers coming from the network as the SSL/TLS protocol does not give any version information of the software used (it does give protocol compatibility information needed for interoperability wrt SSLv2, SSLv3 etc) * It is the application using OpenSSL (in this case Apache) disclosing the information. -> Please complain to the Apache people. * Both projects OpenSSL and Apache are Open Source projects. If you find anything about it annoying please feel free to make any modification you want.
Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature