From owner-freebsd-hackers@freebsd.org Tue Oct 4 15:15:33 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E733CAF3A14 for ; Tue, 4 Oct 2016 15:15:33 +0000 (UTC) (envelope-from roger@purplecat.net) Received: from mx1.purplecat.net (mx1.purplecat.net [205.138.55.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.purplecat.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A384463E for ; Tue, 4 Oct 2016 15:15:33 +0000 (UTC) (envelope-from roger@purplecat.net) Received: (qmail 72464 invoked by uid 89); 4 Oct 2016 15:14:53 -0000 Received: from unknown (HELO PCNDesktop) (support@purplecat.net@68.115.151.242) by mx1.purplecat.net with ESMTPA; 4 Oct 2016 15:14:53 -0000 Reply-To: From: "Roger Eddins" To: Subject: Reported version numbers of base openssl and sshd Date: Tue, 4 Oct 2016 11:16:32 -0400 Message-ID: <01eb01d21e52$4a7f1640$df7d42c0$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AdIeUkocLzB8V1XdS3SVKMzoplSnMg== Content-Language: en-us X-Mailman-Approved-At: Tue, 04 Oct 2016 15:35:08 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2016 15:15:34 -0000 Dear Maintainers, Thank you for your excellent efforts in maintaining the FreeBSD code base. Question: Could version number obfuscation be added to openssl and sshd or have the proper relative patch version number reported from the binaries in the base system? Reasoning: PCI compliance is becoming an extreme problem due to scanning false positives from certain vendors and a big time waster with older FreeBSD releases reporting the original base version number even after patch updates. This is requiring us to compile/run openssl port and openssh-portable creating a highly unnecessary maintenance burden on our admins when the package binaries would be sufficient if the these core base components would report the latest version number. OF course, blocking the scanning engines on certain ports is an easy trick but that doesn't solve the root cause of the problem. We have a snowflake type environment for custom hosting solutions so that hopefully gives a good picture of why using ports for these core components is so time consuming. If the official stance is to use openssl port and openssh-portable just so the FreeBSD OS can report back the latest version number to PCI scanning engines, sobeit but makes little sense at least in the context we exist in and interfacing with PCI compliance vendors. Thank you, Roger Eddins