From owner-freebsd-hackers@freebsd.org Tue Oct 4 22:30:55 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89424AF41CC for ; Tue, 4 Oct 2016 22:30:55 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 17B49814; Tue, 4 Oct 2016 22:30:55 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: Reported version numbers of base openssl and sshd To: Ngie Cooper , roger@purplecat.net References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org From: Jung-uk Kim Message-ID: <9e7742fa-a995-b58f-8cd3-30d77d4fab6c@FreeBSD.org> Date: Tue, 4 Oct 2016 18:30:50 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2016 22:30:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI Content-Type: multipart/mixed; boundary="oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm"; protected-headers="v1" From: Jung-uk Kim To: Ngie Cooper , roger@purplecat.net Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org Message-ID: <9e7742fa-a995-b58f-8cd3-30d77d4fab6c@FreeBSD.org> Subject: Re: Reported version numbers of base openssl and sshd References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> In-Reply-To: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> --oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/04/2016 18:21, Ngie Cooper wrote: > (CCing the current maintainers for OpenSSL and ssh) >=20 >> On Oct 5, 2016, at 00:16, Roger Eddins wrote: >> >> Dear Maintainers, >> >> Thank you for your excellent efforts in maintaining the FreeBSD code b= ase. =20 >> >> Question: Could version number obfuscation be added to openssl and ss= hd or >> have the proper relative patch version number reported from the binari= es in >> the base system? >> >> Reasoning: PCI compliance is becoming an extreme problem due to scann= ing >> false positives from certain vendors and a big time waster with older >> FreeBSD releases reporting the original base version number even after= patch >> updates. This is requiring us to compile/run openssl port and >> openssh-portable creating a highly unnecessary maintenance burden on o= ur >> admins when the package binaries would be sufficient if the these core= base >> components would report the latest version number. OF course, blockin= g the >> scanning engines on certain ports is an easy trick but that doesn't so= lve >> the root cause of the problem. We have a snowflake type environment f= or >> custom hosting solutions so that hopefully gives a good picture of why= using >> ports for these core components is so time consuming. >> >> If the official stance is to use openssl port and openssh-portable jus= t so >> the FreeBSD OS can report back the latest version number to PCI scanni= ng >> engines, sobeit but makes little sense at least in the context we exis= t in >> and interfacing with PCI compliance vendors. >=20 > I think this request sounds reasonable. I don't know how difficult = it might be or what exactly you have in mind version number wise.. But I'= m guessing you have a straightforward idea that could be described. As an OpenSSL maintainer for the base, I always try to merge the latest OpenSSL releases. For releng branches, so@ is in total control. Jung-uk Kim --oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm-- --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX9C2eAAoJEHyflib82/FGsvkH/it4rbQWgdEIgVvAYAfFjLb8 HErCkNV8RMyovHNbtkvSCc9BKIn7Llpmu1gmhCwa2pEe8pMqjKOMDy0jiozzQKZm uJN9HnA+uPee6Gx5GBBPVSRve37X+ai4A13+YvygoPHv16ju8V8jbK2TkN+9KZH0 gZrlaDdfcpyIpXjTQA9K+ALqv1zOiLxJ2ipbXFofladHa6zK8HtlrT8DsGPiiNp4 4xg9/8O3uOHkUEBlR0tEGI3l236ELo9g+D8GcI08S/h66y5vS8mqWR5v8BV/cL0l zsmeODwS9z1lOe5kxiQNp36OMRHkraAiQak57xHCTkMgtNs53lZeqXeaLQ1jYZk= =pL2e -----END PGP SIGNATURE----- --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI--