Re: Hiding headers for OpenSSL
You are correct; I did miss Lutz's email.Lutz ... thank you. That is exactly the answer I was looking for, to all my questions.Thank you openssl list, and to all those who provided helpful feedback. Sincerely, ScottOn 8/22/06, Bernhard Froehlich <[EMAIL PROTECTED]> wrote: Scott Campbell wrote:> [...]> My question is (rephrased), if possible, how can I hide the> headers in OpenSSL from being broadcast to software running> rudimentary security scans (e.g., Nessus)? > Is there a line I can add to a conf file?> Is preventing the broadcast of software, version, and OS through> Apache all I need to do to prevent people from seeing that information?> > Last (though new) question: I thought that OpenSSL does not pass> header information back and forth to the client when establishing a> secure connection, but in fact, only certificate authenticating is > performed? In other words, the client (however legitimate) doesn't> need to know the header information of my OpenSSL; if the certificate> is authenticated, the connection is made.>> Thanks in advance, >ScottLooks like you missed Lutz' mail, since he (IMHO) answers your questions:> This discussion is useless:> * OpenSSL does not disclose its version to attackers coming from the> network as the SSL/TLS protocol does not give any version information > of the software used (it does give protocol compatibility information> needed for interoperability wrt SSLv2, SSLv3 etc)> * It is the application using OpenSSL (in this case Apache) disclosing > the information.> -> Please complain to the Apache people.> * Both projects OpenSSL and Apache are Open Source projects. If you find> anything about it annoying please feel free to make any modification > you want.>I might add the following: There is a configuration option of Apachewhich allows you to customize the reported version string in the HTTPheaders, but I just don't remember its name. If that is not flexible enough (and I remember it correctly) theresponsible part of the Apache source code is not hard to find either. ;)Ted;)--PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 -- Scott Campbell[EMAIL PROTECTED]"Listen to the mustn'ts, child..."
Re: Hiding headers for OpenSSL
Guys, While I appreciate the vibrant discussion, I was not asking for the pros and cons of hiding the header information, whether or not one feels it promotes security, and whether one believes meddling with this makes one a geek or not. In many people's desire to announce their opinion on the matter, the question was ignored. Your thoughts are much appreciated, but I need a technical answer. My question is (rephrased), if possible, how can I hide the headers in OpenSSL from being broadcast to software running rudimentary security scans (e.g., Nessus)? Is there a line I can add to a conf file? Is preventing the broadcast of software, version, and OS through Apache all I need to do to prevent people from seeing that information? Last (though new) question: I thought that OpenSSL does not pass header information back and forth to the client when establishing a secure connection, but in fact, only certificate authenticating is performed? In other words, the client (however legitimate) doesn't need to know the header information of my OpenSSL; if the certificate is authenticated, the connection is made. Thanks in advance, Scott
Hiding headers for OpenSSL
Dear All, The quick version: How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)? The long version: We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities. For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running. Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue). What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible. In Apache, you can modify the information sent to almost anything. We disable such broadcasting, and I was hoping you can do the same with OpenSSL. Thank you in advance, Scott
