Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Oct 2016 07:21:46 +0900
From:      Ngie Cooper <yaneurabeya@gmail.com>
To:        roger@purplecat.net
Cc:        freebsd-hackers@freebsd.org, des@FreeBSD.org, jkim@FreeBSD.org
Subject:   Re: Reported version numbers of base openssl and sshd
Message-ID:  <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com>
In-Reply-To: <01eb01d21e52$4a7f1640$df7d42c0$@net>
References:  <01eb01d21e52$4a7f1640$df7d42c0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help 
(CCing the current maintainers for OpenSSL and ssh)

> On Oct 5, 2016, at 00:16, Roger Eddins <roger@purplecat.net> wrote:
>=20
> Dear Maintainers,
>=20
> Thank you for your excellent efforts in maintaining the FreeBSD code base.=
 =20
>=20
> Question:  Could version number obfuscation be added to openssl and sshd o=
r
> have the proper relative patch version number reported from the binaries i=
n
> the base system?
>=20
> Reasoning:  PCI compliance is becoming an extreme problem due to scanning
> false positives from certain vendors and a big time waster with older
> FreeBSD releases reporting the original base version number even after pat=
ch
> updates.  This is requiring us to compile/run openssl port and
> openssh-portable creating a highly unnecessary maintenance burden on our
> admins when the package binaries would be sufficient if the these core bas=
e
> components would report the latest version number.  OF course, blocking th=
e
> scanning engines on certain ports is an easy trick but that doesn't solve
> the root cause of the problem.  We have a snowflake type environment for
> custom hosting solutions so that hopefully gives a good picture of why usi=
ng
> ports for these core components is so time consuming.
>=20
> If the official stance is to use openssl port and openssh-portable just so=

> the FreeBSD OS can report back the latest version number to PCI scanning
> engines, sobeit but makes little sense at least in the context we exist in=

> and interfacing with PCI compliance vendors.

    I think this request sounds reasonable. I don't know how difficult it mi=
ght be or what exactly you have in mind version number wise.. But I'm guessi=
ng you have a straightforward idea that could be described.
Thanks!
-Ngie=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF>