Scott Campbell wrote:

> The long version: We run security check software, which makes
> connections with various services, calls up the header, and then tells
> us that based upon the version it read in the header, this service has
> certain vulnerabilities. For security purposes, we would like to
> disable the broadcasting of headers so outside users cannot simply call
> up the header and see what version we're running. Additionally, the
> vulnerabilities are wrong since the header is one thing but the revision
> numbers indicate that the vulnerabilities have been resolved (those
> using RedHat RHEL should be familiar with this issue). What I want to
> do is prevent outside connections from seeing any version information,
> in order to give potential abusers as little information about our
> system as possible.


It sounds as if you're approaching this in a bass-ackwards way.

First - fix the false positives in your vulnerability reporting.

Second - the bid for security through obscurity in not reporting
the version number seems misguided to me.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org