Re: OpenSSL version used by Httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey 

Thank you very much for quick reply, I did modify ServerTokens from OS to Full and did restart apache. However I tried to hit my server I do not see server header added. Is there any other precondition that I need to take care of I am using Apache HTTPD 2.2.25.

[root@10 conf]# curl --head https://localhost:443/login -k
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2015 10:43:42 GMT
Set-Cookie: JSESSIONID=521BFADA9009F72C4ED9BF6D5CA63899.7001stagingcld-tomcat9; Path=/; Secure; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 5967

[root@10 conf]# 

On Wed, Jan 21, 2015 at 3:55 PM, Pete Houston <ph1@xxxxxxxxxxxxxxxx> wrote:
On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
> However from external/client side how can I verify which is the exact
> version of openssl libraries being used during communication. Please help.

In your httpd.conf specify

        ServerTokens Full

Then from the client side you can inspect the headers for the OpenSSL
version. eg: http://httpd.apache.org/ currently reports:

        Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l

See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
You might consider this as information leakage so may not wish to leave
it permanently enabled.

Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107



--
Regards,
Srihari NA
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux