[unisog] determining versions of SSL

Christopher Cramer chris.cramer at duke.edu
Mon Sep 16 14:21:31 GMT 2002


On Mon, 2002-09-16 at 01:35, Brian Reilly wrote:
> 
> On 16 Sep 2002, Russell Fulton wrote:
> 
> > Hi,
> > 	I have been meaning to ask this for a while, but the worm has now made
> > it urgent:  Is there a straight forward means of determining what
> > version of SSL a server is running from the network?  Something that
> > could be rolled into a perl script and fed nmap output would be ideal.
> > 
> 
> I've been scanning and grabbing HTTP 'Server' headers, i.e. "Apache/1.3.26
> (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g".  It might not be perfect, but it's
> been helpful.  I wrote a couple of simple Perl scripts that use LWP and
> Net::SSLeay to do this. If you'd like a copy just drop me a line and I'll
> pass 'em along.
> 
> --Brian


this'll probably generate a lot of false positives on Red Hat boxen. 
Red Hat patched 0.9.6b so that it isn't vulnerable.  However, the
OpenSSL patch level doesn't show in the HTTP headers.

-chris




More information about the unisog mailing list