08-27-2010, 04:17 AM
Is there any way I can find out what version of OpenSSL is being used on a server I don't admin? The reason I ask this question is that I'm trying to verify that a certain website is PCI compliant. I know from being PCI compliant on all of my own servers that you must have the latest installed ver of OpenSSL other wise you fail the PCI test. So, I'm trying to see what their ver is of OpenSSL and if it's an older ver then I know they are not PCI scanning like they should be doing.
08-27-2010, 05:08 PM
If the server has a full server signature turned on, the OpenSSL version will be shown in that. The signature is printed at the bottom of all the generic Apache error pages (like 404 and 500).
Otherwise, do you happen to have shell access to the server? That'd make really easy to check.
If you use the phpinfo function, it prints out the OpenSSL version under the Apache Environment header. Look for 'SSL version library'.
08-27-2010, 07:20 PM
No, I don't have shell access...
08-27-2010, 09:01 PM
If the server has PHP on it, then the phpinfo function will be your best bet. Have you used PHP before?
08-27-2010, 11:56 PM
Yep, I tried using phpinfo.php but they don't have that script installed.
08-28-2010, 04:33 AM
No it isn't a file. It is a PHP function. Just create a file with a .php extension like test.php and in it put:
<? phpinfo(); ?>
And upload it to your server and then go to the page in your browser. It should spit out a bunch of information.
08-29-2010, 08:01 PM
As I said in my original post, I don't have admin rights on this server, so am I at a dead end?
08-30-2010, 04:41 PM
Oh I'm sorry. I didn't realize by that you meant can't upload any files to it or anything. Then in that case, you are probably out of luck.
08-31-2010, 07:31 AM
Well, if it's an Apache server, try going to a non-existent page on the site/server and the default 404 page (assuming they do not use a custom defined one) will show the open ssl version .. like ..
The requested URL /anything/ was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a mod_fcgid/2.3.5 Phusion_Passenger/2.2.15 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/126.96.36.19935 Server at domain.com Port 80