Internal IP Exposed

Abdul Qoyyuum aqoyyuum at
Mon Mar 25 00:33:55 UTC 2019

Hi all,

New to the mailing list and a complete newbie to openssl and the likes.
There's a ticket by a client that I'm new at and he claims that there's a
security problem with the openssl command to his servers.

Internal IP exposed after running a openssl (version 1.1.0j) connect

openssl s_client -connect 103.XX.XXX.XX:10443 -quiet

Where 103.XX.XXX.XX is a Public IP. And after it shows the certificates,
typed the following:

GET /images HTTP/1.0

And hit enter twice, the following gets displayed:

HTTP/1.0 301 Moved Permanently
Date: Mon, 25 Mar 2019 00:10:13 GMT
Server: xxxxxxxx-xxxxx
Connection: close
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=28800

<TITLE>301 Moved Permanently</TITLE>
<H1>Moved Permanently</H1>
The document has moved <A HREF="">here</A>.<P>

The is an internal IP and it is exposed by this little method.
Although not shown when using curl -kv -O command.

Is there a way to cover up the "Location" or at least the internal IP from
being exposed? Thanks.
Sorry if this isn't clear or if this is the wrong place to ask this.

Abdul Qoyyuum Bin Haji Abdul Kadir
HP No: +673 720 8043
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list