[unisog] determining versions of SSL

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 15:19:29 GMT 2002

The problem with that is many servers have patched versions of older
openssl for compatibility reasons.  In other words, though patched, they
still show a version that might be unpatched.  Using the latest redhat rpms
on redhat 7.2 server yields:

Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2

While openssl 0.9.6b isn't secure by default, if you've got
openssl-0.9.6-13.i386.rpm from redhat, you are patched.

Jordan Wiens
UF Network Incident Response Team

On Sun, 15 Sep 2002, Mike Iglesias wrote:

> Here's what I got from sending "OPTIONS * HTTP/1.0" to port 80 of a web
> server:
> Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6
> Obviously that system needs some work.  :-(
> I used "nc" to send the above string to the web server.
> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list