LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-03-2013, 03:23 PM   #1
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Rep: Reputation: 1
Remove SSL version Information


I was running a vulnerability application against our Linux server and it gave me this report.

Code:
TLSv1 Protocol is Enabled.
Supported Cipher : TLS1_DHE_RSA_WITH_AES_256_SHA SSL_NOT_EXP
SSLv3 Protocol is Enabled.
Supported Cipher : TLS1_DHE_RSA_WITH_AES_256_SHA SSL_NOT_EXP
How do I prevent Apache on Centos from displaying the above version information.

Thanks!

Last edited by legolasthehansy; 04-03-2013 at 03:51 PM.
 
Old 04-03-2013, 04:10 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
you can't prevent it! That's nuts! It's critical information for the client negotiating with you to have. Why on earth would you want to stop this information being available in the first place? Wy do you think it's a risk? AES256 with SHA? That's tough stuff. And SSL_NOT_EXP means "non-export grade SSL ciphers", i.e. "good SSL ciphers"

What is the supporting text with this report? Did you, or your management superiors, read it?

Last edited by acid_kewpie; 04-03-2013 at 04:12 PM.
 
Old 04-03-2013, 05:17 PM   #3
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Original Poster
Rep: Reputation: 1
Thank you acid_kewpie for your response.
We are using McAfee's Vulnerability manager and were trying to bring down the number of reports such as the above we are seeing. I didn't know the client needed this information to use for authentication.

Last edited by legolasthehansy; 04-03-2013 at 05:19 PM.
 
Old 04-04-2013, 03:03 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
but is it actually being framed in a negative light in any way by this security service? As much as it's restrictive having a single cipher only, it's a very secure one. There is no perspective of risk in any way at all as I'm reading this. It's like saying you don't want to open your firewall to the internet for security reasons, but still want to run a website.

Last edited by acid_kewpie; 04-04-2013 at 03:04 AM.
 
Old 04-04-2013, 08:09 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
McAfee, huh?

Here's a kilogram of salt. You'll need it.
 
Old 04-04-2013, 10:04 AM   #6
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Original Poster
Rep: Reputation: 1
Thanks Guys.
It is information only and not being flagged as a vulnerability. This shouldn't be shown up in the first place so we'll talk to McAfee and get their input on what they think. I'm closing this thread as solved.
 
  


Reply

Tags
apache, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Version Question Doknik Linux - Software 3 02-22-2012 11:57 AM
[SOLVED] no version information available mahmoodn Ubuntu 19 04-29-2011 05:14 AM
How to know SSL Version deepak_message Linux - Server 1 01-22-2009 01:16 AM
ncurses version information msgforsunil Linux - Software 1 07-17-2006 04:27 PM
Version Information moetjojo Linux - Newbie 2 09-19-2002 04:44 AM


All times are GMT -5. The time now is 11:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration