On Fri May 13 2011, Argyris wrote: > Thanks Mike but still i have a couple of questions. > > How can I check the way OpenSSH is built? By checking its folder and its > files in there? >
I don't use MS-Windows enough to know what tools are available for checking. If truly concerned about security, build it yourself, then you know how it was built. ;-) > If openssl is used truly by other apps, then is it possible to be able to > check somehow its version? Because in windows box u cannot execute openssl > commands unless u have its .exe file, right? > Other applications will be using the OpenSSL libraries, not the application openssl.exe. Those other applications may have linked statically to the OpenSSL libraries. In which case there will not be separate file(s) to be checked. It is even possible that the application linked statically against the OpenSSL libraries and the application vendor forgot to mention it in the documentation (as required by the license terms). Since your seeing *.dll files, something linked to OpenSSL with dynamic linking. I would expect those relationships to be recorded in the registry but I am not a 'Windows Person' enough to know for sure. Which leads back to answer #1 above. > Finally, a possible upgrade of openssl version in such cases as my scanner > suggests would not be possible I guess without upgrading the app which uses > it, right? > There have been recent posts on this mailing list about version compatibility - check the ML archives. But in the case of what is probably a closed source application - ask the vendor. Hey, you paid for it, they should at least be able to tell a paying customer if it needs to be changed. Mike > Thank you again in advance. > > Argyris > > Begin forwarded message: > > > From: "Michael S. Zick" <open...@morethan.org> > > Date: 12 May 2011 14:22:58 GMT+01:00 > > To: openssl-users@openssl.org > > Subject: Re: vulnerability management > > Reply-To: openssl-users@openssl.org > > > > > On Thu May 12 2011, Argyris Ps wrote: > >> > >> Hi all, > >> > >> > >> I have run a vulnerability scanning against some systems and some > >> vulnerabilities have come up related with OpenSSL. However, some of them > >> have not 443 port open or have nothing but a single file named as openSSL > >> inside some other's application folder. I asked about the operation of > >> that application and whether it uses openSSL somehow. It does not. Not to > >> mention that OpenSSL does not appear among the tasks or services running. > >> > >> > >> Sometimes, I find OpenSSH being used but not OpenSSL. Does that use any > >> OpenSSL libraries? > >> > > > > OpenSSH can be built against the OpenSSL (or other) libraries. > > So it is possible that is why your seeing OpenSSL use, check your build > > of OpenSSH to see how it was created. > > > > Although many applications build against the OpenSSL libraries, so the > > OpenSSH that you see may not be the only reason you see the OpenSSL usage. > > > > Mike > >> > >> I am trying to understand how my vulnerability scanner detects OpenSSL in > >> cases like the ones I described above... > >> > >> > >> Is there any way to check whether OpenSSL is being used by a system (eg. > >> Windows server)? > >> > >> > >> > >> > >> I would appreciate anyone's help with this as I am not experienced with > >> OpenSSL. > >> > >> > >> > >> > >> Thank you. > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
