From owner-freebsd-hackers@freebsd.org Tue Oct 4 22:21:49 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76547AF5A0E for ; Tue, 4 Oct 2016 22:21:49 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 43D90F6D; Tue, 4 Oct 2016 22:21:49 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: by mail-pf0-x230.google.com with SMTP id i85so28753562pfa.3; Tue, 04 Oct 2016 15:21:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ged8oFQjqOCXGMp/AYW72QFmHNkGV//Ph6sOpSI7kWM=; b=h81MTJvxxvmgxdO8Ca3Im38yIxIqN43A7kNaiO2mdH3+EjOkmkJUSHsrpDVY7uv9i5 n+u3DZOd/a0wAzmPV7+suKS9vFAM+wmUA0/S2rLqZhPmqdNH3elq2Wr8VLKQ1D2ws2U5 NiIGc9AFlNhAfvbsV/qZ6W6dBu6RzGSmQODC/IAnSAKSb9SILiFEssRVvRZ3jH2FgmyZ 9yPzoCoHjyr7fqyS2T1qcSFZirAzOu4eRXLhfaRUv5w3Bx/YzFKDpIbLRvnW5uorw0Uf rYDfax4s8VYidK7WXCHBjTNr4lu/PVl7/U+dForHQyEb+M3JVJ8sWjMNpJGs/VfZE7ZN aSHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ged8oFQjqOCXGMp/AYW72QFmHNkGV//Ph6sOpSI7kWM=; b=nCffh7sRYncpYrbUjY5cq8wdUmlYUuQAd4wFCO+CCoRI9dqPNzy8qr3SNv6frXw1qD eXbQQXuyaLyflWBqSo/68Y854foU68FLeZAXAIIwgmt43uaw0DZooXgdnFfzVhHeRF3Z 2CA/D2galQ+t0Cx+wHb3Dr/KDpJ5T8NnaWpk/C46Yye3VoYA0WfZYgGApqzAjltseydS 8IsHw/gCWJIxE/0cN9aaePogsSAQiLSVHalaQr5jhnLQy7xPc7GzSDxtwHVmGwn6r+Wa W5PSB2u3eFX6GaDM23klP/YstA021tAp4oEFOPjFW67fO9TYY2praWjNTZYr6OPa5Fv/ OIiA== X-Gm-Message-State: AA6/9Rlu8EMd+aLv52SrwvXZO1BDqZ1+2NdyoXw27tnbmr4NBLC5c0IuQzTBBxy2uP9BZg== X-Received: by 10.98.1.138 with SMTP id 132mr1500576pfb.69.1475619708692; Tue, 04 Oct 2016 15:21:48 -0700 (PDT) Received: from [192.168.100.50] (fp276ebe43.tkyc502.ap.nuro.jp. [39.110.190.67]) by smtp.gmail.com with ESMTPSA id p77sm20810374pfi.27.2016.10.04.15.21.47 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 04 Oct 2016 15:21:48 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Reported version numbers of base openssl and sshd From: Ngie Cooper X-Mailer: iPhone Mail (13G36) In-Reply-To: <01eb01d21e52$4a7f1640$df7d42c0$@net> Date: Wed, 5 Oct 2016 07:21:46 +0900 Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org, jkim@FreeBSD.org Content-Transfer-Encoding: quoted-printable Message-Id: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> To: roger@purplecat.net X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2016 22:21:49 -0000 (CCing the current maintainers for OpenSSL and ssh) > On Oct 5, 2016, at 00:16, Roger Eddins wrote: >=20 > Dear Maintainers, >=20 > Thank you for your excellent efforts in maintaining the FreeBSD code base.= =20 >=20 > Question: Could version number obfuscation be added to openssl and sshd o= r > have the proper relative patch version number reported from the binaries i= n > the base system? >=20 > Reasoning: PCI compliance is becoming an extreme problem due to scanning > false positives from certain vendors and a big time waster with older > FreeBSD releases reporting the original base version number even after pat= ch > updates. This is requiring us to compile/run openssl port and > openssh-portable creating a highly unnecessary maintenance burden on our > admins when the package binaries would be sufficient if the these core bas= e > components would report the latest version number. OF course, blocking th= e > scanning engines on certain ports is an easy trick but that doesn't solve > the root cause of the problem. We have a snowflake type environment for > custom hosting solutions so that hopefully gives a good picture of why usi= ng > ports for these core components is so time consuming. >=20 > If the official stance is to use openssl port and openssh-portable just so= > the FreeBSD OS can report back the latest version number to PCI scanning > engines, sobeit but makes little sense at least in the context we exist in= > and interfacing with PCI compliance vendors. I think this request sounds reasonable. I don't know how difficult it mi= ght be or what exactly you have in mind version number wise.. But I'm guessi= ng you have a straightforward idea that could be described. Thanks! -Ngie=