[unisog] determining versions of SSL

Christopher Cramer chris.cramer at duke.edu
Mon Sep 16 14:21:31 GMT 2002

On Mon, 2002-09-16 at 01:35, Brian Reilly wrote:
> On 16 Sep 2002, Russell Fulton wrote:
> > Hi,
> > 	I have been meaning to ask this for a while, but the worm has now made
> > it urgent:  Is there a straight forward means of determining what
> > version of SSL a server is running from the network?  Something that
> > could be rolled into a perl script and fed nmap output would be ideal.
> > 
> I've been scanning and grabbing HTTP 'Server' headers, i.e. "Apache/1.3.26
> (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g".  It might not be perfect, but it's
> been helpful.  I wrote a couple of simple Perl scripts that use LWP and
> Net::SSLeay to do this. If you'd like a copy just drop me a line and I'll
> pass 'em along.
> --Brian

this'll probably generate a lot of false positives on Red Hat boxen. 
Red Hat patched 0.9.6b so that it isn't vulnerable.  However, the
OpenSSL patch level doesn't show in the HTTP headers.


More information about the unisog mailing list