From owner-freebsd-hackers@freebsd.org Wed Oct 5 12:25:42 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2ED5AF6D0E for ; Wed, 5 Oct 2016 12:25:42 +0000 (UTC) (envelope-from support@purplecat.net) Received: from mx1.purplecat.net (mx1.purplecat.net [205.138.55.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.purplecat.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A3CB4E29 for ; Wed, 5 Oct 2016 12:25:42 +0000 (UTC) (envelope-from support@purplecat.net) Received: (qmail 11757 invoked by uid 89); 5 Oct 2016 12:25:39 -0000 Received: from unknown (HELO ?192.168.254.5?) (support@purplecat.net@65.37.86.141) by mx1.purplecat.net with ESMTPA; 5 Oct 2016 12:25:39 -0000 In-Reply-To: <86oa2z9un2.fsf@desk.des.no> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no> X-Referenced-Uid: 205615 Thread-Topic: Re: Reported version numbers of base openssl and sshd X-Blue-Identity: !l=700&o=96477&fo=97711&pl=407&po=0&qs=PREFIX&f=HTML&n=Roger%20Eddins&e=support%40purplecat.net&m=!%3ANWI3NGY3NGYtOWI3YS00NmM2LThhYWMtNWRiMDVlMmM5OTZk%3ASU5CT1g%3D%3AMjA1NjE1%3AANSWERED&p=349&q=SHOW User-Agent: Type for Android MIME-Version: 1.0 Subject: Re: Reported version numbers of base openssl and sshd From: Roger Eddins Date: Wed, 05 Oct 2016 08:25:36 -0400 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= CC: freebsd-hackers@freebsd.org Message-ID: <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> X-Mailman-Approved-At: Wed, 05 Oct 2016 12:53:52 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2016 12:25:43 -0000 Dag-Erling, I agree with your premise 100% and it's true the tool wielders are taking the easy road out by simply doing a version check but that road may make sense from a bandwidth and CPU standpoint for their systems and it comes down to perception more do than education. I think from an accuracy standpoint it would make more academic sense to report an updated version number or at least a build number so the scanners can make an intelligent decision. Across the board we are finding other processes in commerce tools rejecting transactions due to version number deficiencies and the problem is growing rapidly.  My hope would be that the team would reconsider the version number question as it is the biggest deficiency we experience daily using the FreeBSD OS. Standing on a principle is great in concept but practical application sometimes overrides principle from a common sense perspective. Thank you for your consideration on this important question. Roger Roger Eddins Purplecat Networks Inc. www.purplecat.net On Oct 5, 2016, 2:28 AM, at 2:28 AM, "Dag-Erling Smørgrav" wrote: >"Roger Eddins" writes: >> Question: Could version number obfuscation be added to openssl and >sshd or >> have the proper relative patch version number reported from the >binaries in >> the base system? >> >> Reasoning: PCI compliance is becoming an extreme problem due to >scanning >> false positives from certain vendors and a big time waster with older >> FreeBSD releases reporting the original base version number even >after patch >> updates. > >I've been asked this before. My answer was that either the tools or >the >people wielding them are deficient, and I haven't changed my mind. > >How do they handle RHEL? > >DES >-- >Dag-Erling Smørgrav - des@des.no