This is a discussion on RE: Hiding headers for OpenSSL - Openssl ; > The long version: We run security check software, which makes connections > with various services, calls up the header, and then tells us that based > upon the version it read in the header, this service has certain vulnerabilities. ...
> The long version: We run security check software, which makes connections
> with various services, calls up the header, and then tells us that based
> upon the version it read in the header, this service has certain
You mean it might have certain vulnerabilities. You certainly can't be sure
just based on the version, local patches could have been applied.
> For security purposes, we would like to disable the broadcasting of
> outside users cannot simply call up the header and see what version we're
Right, we don't want the people who have to rely on us to be secure to know
that we aren't secure. And if we are secure, we don't want to reassure
people that we did fix the latest bugs, because we just like to keep them
> Additionally, the vulnerabilities are wrong since the header is one thing
> the revision numbers indicate that the vulnerabilities have been resolved
> (those using RedHat RHEL should be familiar with this issue). What I want
> to do is prevent outside connections from seeing any version information,
> order to give potential abusers as little information about our system as
Right, don't want to give those potential abusers any incorrect
Wow, you guys do things very differently from the rest of us.
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com