Hi 

My host is with httpd-2.4.58-1/mod_ssl-2.4.58-1.ppc/  openssl.base 3.0.10.1002  is coming up with

It looks like the httpd version and maybe Strict-Transport-Security are not displayed on the curl output.  Is IBM's complied version of httpd 58 hiding it's version and SSL information? What version is it?  Any suggestions on passing a Tenable Scan?

NOTE: We have the basic stuff for HSTS in the config files.

 curl --insecure  -I https://10.140.204.17
HTTP/1.1 404 Not Found
Content-type: text/html; charset=UTF-8
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Cache-Control: no-cache,no-store
Connection: close
Pragma: no-cache

This is one of my Redhat system.

curl --insecure  -I https://host
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2024 21:11:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Wed, 26 Aug 2020 15:54:51 GMT
ETag: "138-5adc9d7070d40"
Accept-Ranges: bytes
Content-Length: 312
Content-Type: text/html; charset=UTF-8

Thanks for any information you can provide.

Vinny

------------------------------
Vinny G
------------------------------

Vinny,

Perhaps these will help :

http display : curl --head http://localhost 2>/dev/null|grep Server

https display : curl --insecure --head https://localhost 2>/dev/null|grep Server

Strict display : curl --insecure --head https://localhost 2>/dev/null|grep Strict

Regards

------------------------------
Scott Gruber

Original Message:
Sent: Wed March 27, 2024 05:16 PM
From: Vinny G
Subject: httpd-2.4.58-1 and Tenable

Hi 

My host is with httpd-2.4.58-1/mod_ssl-2.4.58-1.ppc/  openssl.base 3.0.10.1002  is coming up with

It looks like the httpd version and maybe Strict-Transport-Security are not displayed on the curl output.  Is IBM's complied version of httpd 58 hiding it's version and SSL information? What version is it?  Any suggestions on passing a Tenable Scan?

NOTE: We have the basic stuff for HSTS in the config files.

 curl --insecure  -I https://10.140.204.17
HTTP/1.1 404 Not Found
Content-type: text/html; charset=UTF-8
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Cache-Control: no-cache,no-store
Connection: close
Pragma: no-cache

This is one of my Redhat system.

curl --insecure  -I https://host
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2024 21:11:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Wed, 26 Aug 2020 15:54:51 GMT
ETag: "138-5adc9d7070d40"
Accept-Ranges: bytes
Content-Length: 312
Content-Type: text/html; charset=UTF-8

Thanks for any information you can provide.

Vinny

------------------------------
Vinny G
------------------------------

Scott

The command are good for my note but the just display the settings on the Redhat system but not the AIX system.  I'm trying to figure out if the IBM guys compiled stuff into httpd that prevent displaying information on the httpd or maybe my developers did something in the cfg that prevents the information from displaying.  As a result Tenable Scanner is flagging the system for running older version of httpd and SSL.

Vinny

Vinny,

Perhaps these will help :

http display : curl --head http://localhost 2>/dev/null|grep Server

https display : curl --insecure --head https://localhost 2>/dev/null|grep Server

Strict display : curl --insecure --head https://localhost 2>/dev/null|grep Strict

Regards

------------------------------
Scott Gruber

Original Message:
Sent: Wed March 27, 2024 05:16 PM
From: Vinny G
Subject: httpd-2.4.58-1 and Tenable

Hi 

My host is with httpd-2.4.58-1/mod_ssl-2.4.58-1.ppc/  openssl.base 3.0.10.1002  is coming up with

It looks like the httpd version and maybe Strict-Transport-Security are not displayed on the curl output.  Is IBM's complied version of httpd 58 hiding it's version and SSL information? What version is it?  Any suggestions on passing a Tenable Scan?

NOTE: We have the basic stuff for HSTS in the config files.

 curl --insecure  -I https://10.140.204.17
HTTP/1.1 404 Not Found
Content-type: text/html; charset=UTF-8
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Cache-Control: no-cache,no-store
Connection: close
Pragma: no-cache

This is one of my Redhat system.

curl --insecure  -I https://host
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2024 21:11:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Wed, 26 Aug 2020 15:54:51 GMT
ETag: "138-5adc9d7070d40"
Accept-Ranges: bytes
Content-Length: 312
Content-Type: text/html; charset=UTF-8

Thanks for any information you can provide.

Vinny

------------------------------
Vinny G
------------------------------

Hi Vinny,

With a valid IP, we are able to run the command successfully.
# curl --insecure  -I https://localhost
HTTP/1.1 200 OK
Date: Thu, 04 Apr 2024 06:18:59 GMT
Server: Apache/2.4.58 (Unix) OpenSSL/1.1.1v PHP/8.1.22 mod_auth_gssapi/1.6.3 mod_auth_kerb/5.4 mod_wsgi/5.0.0 Python/3.9 SVN/1.10.8 mod_perl/2.0.13 Perl/v5.38.2
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html

FYI, Httpd 2.4.58 is linked against openssl 1.1.x and it will make use of the openssl installed in the system ( It uses lib*.so.1.1 shared object that comes with the openssl 3 archive) 

Scott

The command are good for my note but the just display the settings on the Redhat system but not the AIX system.  I'm trying to figure out if the IBM guys compiled stuff into httpd that prevent displaying information on the httpd or maybe my developers did something in the cfg that prevents the information from displaying.  As a result Tenable Scanner is flagging the system for running older version of httpd and SSL.

Vinny

Vinny,

Perhaps these will help :

http display : curl --head http://localhost 2>/dev/null|grep Server

https display : curl --insecure --head https://localhost 2>/dev/null|grep Server

Strict display : curl --insecure --head https://localhost 2>/dev/null|grep Strict

Regards

------------------------------
Scott Gruber

Original Message:
Sent: Wed March 27, 2024 05:16 PM
From: Vinny G
Subject: httpd-2.4.58-1 and Tenable

Hi 

My host is with httpd-2.4.58-1/mod_ssl-2.4.58-1.ppc/  openssl.base 3.0.10.1002  is coming up with

It looks like the httpd version and maybe Strict-Transport-Security are not displayed on the curl output.  Is IBM's complied version of httpd 58 hiding it's version and SSL information? What version is it?  Any suggestions on passing a Tenable Scan?

NOTE: We have the basic stuff for HSTS in the config files.

 curl --insecure  -I https://10.140.204.17
HTTP/1.1 404 Not Found
Content-type: text/html; charset=UTF-8
Expires: Thu, 29 Oct 1998 17:04:19 GMT
Cache-Control: no-cache,no-store
Connection: close
Pragma: no-cache

This is one of my Redhat system.

curl --insecure  -I https://host
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2024 21:11:58 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Strict-Transport-Security: max-age=15552000; includeSubDomains
Last-Modified: Wed, 26 Aug 2020 15:54:51 GMT
ETag: "138-5adc9d7070d40"
Accept-Ranges: bytes
Content-Length: 312
Content-Type: text/html; charset=UTF-8

Thanks for any information you can provide.

Vinny

------------------------------
Vinny G
------------------------------