Date: Sun, 16 Jul 2000 20:29:14 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Gabriel Ambuehl <gabriel_ambuehl@buz.ch> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Cloaking Apache mod_ssl Message-ID: <Pine.BSF.4.21.0007162022150.82777-100000@ren.sasknow.com> In-Reply-To: <1713780456.20000716120002@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Gabriel Ambuehl wrote to freebsd-isp@FreeBSD.ORG: > Hello, > I'd like to have my Apache sending out bogus information about the > running daemon. I understand that I can alter > define SERVER_BASEVERSION "Apache/1.3.12" > in httpd.h to get it sending other strings about the daemon itself, How about just turning server signatures off altogether? httpd.conf: ServerSignature Off > but how can I get rid of those mod_ssl and OpenSSL statements? Any > inputs would be appreciated. Why would you want to? Exploitability reasons? Most of the time that's a moot point, anyway. If a user has an exploit for web server A, she's probably not even going to look at a server signature. She's just going to try it anyway and see if it works. (And hey, maybe web server B has the same problem) If you're doing it for export reasons (i.e., to slip the legalities under someone's nose), I suspect you won't get much support. Besides, it's the encryption algorithms and keysizes that are protected, not the server signatures ;-) - Ryan -- Ryan Thompson <ryan@sasknow.com> Systems Administrator, Accounts Phone: +1 (306) 664-1161 SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007162022150.82777-100000>