[unisog] determining versions of SSL
chris.cramer at duke.edu
Mon Sep 16 14:21:31 GMT 2002
On Mon, 2002-09-16 at 01:35, Brian Reilly wrote:
> On 16 Sep 2002, Russell Fulton wrote:
> > Hi,
> > I have been meaning to ask this for a while, but the worm has now made
> > it urgent: Is there a straight forward means of determining what
> > version of SSL a server is running from the network? Something that
> > could be rolled into a perl script and fed nmap output would be ideal.
> I've been scanning and grabbing HTTP 'Server' headers, i.e. "Apache/1.3.26
> (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g". It might not be perfect, but it's
> been helpful. I wrote a couple of simple Perl scripts that use LWP and
> Net::SSLeay to do this. If you'd like a copy just drop me a line and I'll
> pass 'em along.
this'll probably generate a lot of false positives on Red Hat boxen.
Red Hat patched 0.9.6b so that it isn't vulnerable. However, the
OpenSSL patch level doesn't show in the HTTP headers.
More information about the unisog