Reported version numbers of base openssl and sshd

Jung-uk Kim jkim at FreeBSD.org
Tue Oct 4 22:30:55 UTC 2016 

On 10/04/2016 18:21, Ngie Cooper wrote:
> (CCing the current maintainers for OpenSSL and ssh)
> 
>> On Oct 5, 2016, at 00:16, Roger Eddins <roger at purplecat.net> wrote:
>>
>> Dear Maintainers,
>>
>> Thank you for your excellent efforts in maintaining the FreeBSD code base.  
>>
>> Question:  Could version number obfuscation be added to openssl and sshd or
>> have the proper relative patch version number reported from the binaries in
>> the base system?
>>
>> Reasoning:  PCI compliance is becoming an extreme problem due to scanning
>> false positives from certain vendors and a big time waster with older
>> FreeBSD releases reporting the original base version number even after patch
>> updates.  This is requiring us to compile/run openssl port and
>> openssh-portable creating a highly unnecessary maintenance burden on our
>> admins when the package binaries would be sufficient if the these core base
>> components would report the latest version number.  OF course, blocking the
>> scanning engines on certain ports is an easy trick but that doesn't solve
>> the root cause of the problem.  We have a snowflake type environment for
>> custom hosting solutions so that hopefully gives a good picture of why using
>> ports for these core components is so time consuming.
>>
>> If the official stance is to use openssl port and openssh-portable just so
>> the FreeBSD OS can report back the latest version number to PCI scanning
>> engines, sobeit but makes little sense at least in the context we exist in
>> and interfacing with PCI compliance vendors.
> 
>     I think this request sounds reasonable. I don't know how difficult it might be or what exactly you have in mind version number wise.. But I'm guessing you have a straightforward idea that could be described.

As an OpenSSL maintainer for the base, I always try to merge the latest
OpenSSL releases.  For releng branches, so@ is in total control.

Jung-uk Kim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20161004/b3ee617c/attachment.sig>

More information about the freebsd-hackers mailing list