Re: CHecking the version of OpenSSL
Hello, Does anyone know how to externally check what version of OpenSSL is running a server? I mean without connecting to the server via the shell but perhaps by a browser and checking the headers? If we are talking about HTTP servers then sometimes this information MAY be available in Server: tag. For example: $ telnet www.itrc.hp.com 80 Trying... Connected to itrc.hp.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 500 Internal Server Error Date: Thu, 10 Aug 2006 21:41:02 GMT Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e -- HERE Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host. But ... this may be not available or may be not true if remote server administrator set value of this tag manually with some arbitrary string. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: CHecking the version of OpenSSL
I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. Randy -Original Message- From: [EMAIL PROTECTED] on behalf of Marek Marcola Sent: Thu 8/10/2006 2:45 PM To: openssl-users@openssl.org Subject: Re: CHecking the version of OpenSSL Hello, Does anyone know how to externally check what version of OpenSSL is running a server? I mean without connecting to the server via the shell but perhaps by a browser and checking the headers? If we are talking about HTTP servers then sometimes this information MAY be available in Server: tag. For example: $ telnet www.itrc.hp.com 80 Trying... Connected to itrc.hp.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 500 Internal Server Error Date: Thu, 10 Aug 2006 21:41:02 GMT Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e -- HERE Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host. But ... this may be not available or may be not true if remote server administrator set value of this tag manually with some arbitrary string. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CHecking the version of OpenSSL
Randy Turner wrote: I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. And some of us would laugh in your general direction ;-) Exploiters don't need to know, they can just persist till they find a known exploit. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: CHecking the version of OpenSSL
Yes, nefarious types would eventually figure it out, but we probably shouldn't lay out the red carpet for them either...:) R. -Original Message- From: [EMAIL PROTECTED] on behalf of William A. Rowe, Jr. Sent: Thu 8/10/2006 3:44 PM To: openssl-users@openssl.org Subject: Re: CHecking the version of OpenSSL Randy Turner wrote: I would probably consider the publishing of the openssl version on the web server announcment message as a security issue. And some of us would laugh in your general direction ;-) Exploiters don't need to know, they can just persist till they find a known exploit. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
