[unisog] determining versions of SSL

Russell Fulton r.fulton at auckland.ac.nz
Mon Sep 16 20:16:53 GMT 2002

On Tue, 2002-09-17 at 02:13, Christian Wilson wrote:

> What do you think about us asking those nice RedHat and other folks that if
> they're going to backport patches into earlier versions that they at least
> report the patched version as OpenSSL/0.9.6b-RHXXX or something.

Amen!  Grabbing http options tells me I have lots of 0.9.6b, many of
which I know have been patched.

> The OpenSSL version issues as well as OpenSSH issues with both Redhat and 
> Debian have really been driving me mad. I guess on the flipside it shows
> people that haven't patched their hosts but I'd find managing all the people
> on our networks a hell of a lot easier if they did let us find out versions
> easier..

I much prefer to have the information available.  If you really want to
you can configure most software not to display version info (or to lie
about it).  My other pet peeve is UNIX rpc services -- there is no way
of telling if they have been patched or not without breaking

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the unisog mailing list