That's a configuration issue with the servers, not an issue with the openssl command itself. There's no information on what the back-end HTTP server software is being used. If it were Apache, there would be a ServerName directive that could change the server's idea of what name it should refer to itself as. I don't have information on other server software configuration. -Kyle H On Sun, Mar 24, 2019 at 7:34 PM Abdul Qoyyuum <aqoyyuum@xxxxxxxxxxxxxxxxx> wrote: > > Hi all, > > New to the mailing list and a complete newbie to openssl and the likes. There's a ticket by a client that I'm new at and he claims that there's a security problem with the openssl command to his servers. > > Internal IP exposed after running a openssl (version 1.1.0j) connect command: > > openssl s_client -connect 103.XX.XXX.XX:10443 -quiet > > Where 103.XX.XXX.XX is a Public IP. And after it shows the certificates, typed the following: > > GET /images HTTP/1.0 > > And hit enter twice, the following gets displayed: > > HTTP/1.0 301 Moved Permanently > Date: Mon, 25 Mar 2019 00:10:13 GMT > Server: xxxxxxxx-xxxxx > Location: https://10.240.123.1:10443/images/ > Connection: close > Content-Type: text/html; charset=utf-8 > X-Frame-Options: SAMEORIGIN > Content-Security-Policy: frame-ancestors 'self' > X-XSS-Protection: 1; mode=block > X-Content-Type-Options: nosniff > Strict-Transport-Security: max-age=28800 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <HTML><HEAD> > <TITLE>301 Moved Permanently</TITLE> > </HEAD><BODY> > <H1>Moved Permanently</H1> > The document has moved <A HREF="https://10.240.123.1:10443/images/";>here</A>.<P> > </BODY></HTML> > read:errno=0 > > The 10.240.123.1 is an internal IP and it is exposed by this little method. Although not shown when using curl -kv -O command. > > Is there a way to cover up the "Location" or at least the internal IP from being exposed? Thanks. > > Sorry if this isn't clear or if this is the wrong place to ask this. > > -- > Abdul Qoyyuum Bin Haji Abdul Kadir > HP No: +673 720 8043
