httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From srihari na <namasrih...@gmail.com>
Subject Re: [users@httpd] OpenSSL version used by Httpd
Date Wed, 21 Jan 2015 10:46:36 GMT
Hey

Thank you very much for quick reply, I did modify ServerTokens from OS to
Full and did restart apache. However I tried to hit my server I do not see
server header added. Is there any other precondition that I need to take
care of I am using Apache HTTPD 2.2.25.

[root@10 conf]# curl --head https://localhost:443/login -k
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2015 10:43:42 GMT
Set-Cookie:
JSESSIONID=521BFADA9009F72C4ED9BF6D5CA63899.7001stagingcld-tomcat9; Path=/;
Secure; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 5967

[root@10 conf]#

On Wed, Jan 21, 2015 at 3:55 PM, Pete Houston <ph1@openstrike.co.uk> wrote:

> On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
> > However from external/client side how can I verify which is the exact
> > version of openssl libraries being used during communication. Please
> help.
>
> In your httpd.conf specify
>
>         ServerTokens Full
>
> Then from the client side you can inspect the headers for the OpenSSL
> version. eg: http://httpd.apache.org/ currently reports:
>
>         Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l
>
> See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
> You might consider this as information leakage so may not wish to leave
> it permanently enabled.
>
> Pete
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
>



-- 
Regards,
Srihari NA

Mime
View raw message