------=_Part_46996_4105290.1156182300505
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Dear All,

The quick version: How can I disable or prevent OpenSSL headers from
being viewable to outside traffic (similiar to when you disable Apache from
allowing its header and version information from being viewable to the
outside world)?

The long version: We run security check software, which makes
connections with various services, calls up the header, and then tells us
that based upon the version it read in the header, this service has certain
vulnerabilities. For security purposes, we would like to disable the
broadcasting of headers so outside users cannot simply call up the header
and see what version we're running. Additionally, the vulnerabilities are
wrong since the header is one thing but the revision numbers indicate that
the vulnerabilities have been resolved (those using RedHat RHEL should be
familiar with this issue). What I want to do is prevent outside connections
from seeing any version information, in order to give potential abusers as
little information about our system as possible.

In Apache, you can modify the information sent to almost anything. We
disable such broadcasting, and I was hoping you can do the same with
OpenSSL.

Thank you in advance,
Scott

------=_Part_46996_4105290.1156182300505
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Dear All,

     The quick version:  How can I disable or prevent OpenSSL headers from being viewable to outside traffic (similiar to when you disable Apache from allowing its header and version information from being viewable to the outside world)?


     The long version:  We run security check software, which makes connections with various services, calls up the header, and then tells us that based upon the version it read in the header, this service has certain vulnerabilities.  For security purposes, we would like to disable the broadcasting of headers so outside users cannot simply call up the header and see what version we're running.  Additionally, the vulnerabilities are wrong since the header is one thing but the revision numbers indicate that the vulnerabilities have been resolved (those using RedHat RHEL should be familiar with this issue).  What I want to do is prevent outside connections from seeing any version information, in order to give potential abusers as little information about our system as possible.


   In Apache, you can modify the information sent to almost anything.  We disable such broadcasting, and I was hoping you can do the same with OpenSSL.

     Thank you in advance,
            Scott


------=_Part_46996_4105290.1156182300505--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org