> The long version: We run security check software, which makes connections
> with various services, calls up the header, and then tells us that based
> upon the version it read in the header, this service has certain

vulnerabilities.

You mean it might have certain vulnerabilities. You certainly can't be sure
just based on the version, local patches could have been applied.

> For security purposes, we would like to disable the broadcasting of

headers so
> outside users cannot simply call up the header and see what version we're

running.

Right, we don't want the people who have to rely on us to be secure to know
that we aren't secure. And if we are secure, we don't want to reassure
people that we did fix the latest bugs, because we just like to keep them
guessing.

> Additionally, the vulnerabilities are wrong since the header is one thing

but
> the revision numbers indicate that the vulnerabilities have been resolved
> (those using RedHat RHEL should be familiar with this issue). What I want
> to do is prevent outside connections from seeing any version information,

in
> order to give potential abusers as little information about our system as

possible.

Right, don't want to give those potential abusers any incorrect
information.

Wow, you guys do things very differently from the rest of us.

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org