Reported version numbers of base openssl and sshd

[Ngie Cooper]

(CCing the current maintainers for OpenSSL and ssh)

> On Oct 5, 2016, at 00:16, Roger Eddins <roger at purplecat.net> wrote:
> 
> Dear Maintainers,
> 
> Thank you for your excellent efforts in maintaining the FreeBSD code base.  
> 
> Question:  Could version number obfuscation be added to openssl and sshd or
> have the proper relative patch version number reported from the binaries in
> the base system?
> 
> Reasoning:  PCI compliance is becoming an extreme problem due to scanning
> false positives from certain vendors and a big time waster with older
> FreeBSD releases reporting the original base version number even after patch
> updates.  This is requiring us to compile/run openssl port and
> openssh-portable creating a highly unnecessary maintenance burden on our
> admins when the package binaries would be sufficient if the these core base
> components would report the latest version number.  OF course, blocking the
> scanning engines on certain ports is an easy trick but that doesn't solve
> the root cause of the problem.  We have a snowflake type environment for
> custom hosting solutions so that hopefully gives a good picture of why using
> ports for these core components is so time consuming.
> 
> If the official stance is to use openssl port and openssh-portable just so
> the FreeBSD OS can report back the latest version number to PCI scanning
> engines, sobeit but makes little sense at least in the context we exist in
> and interfacing with PCI compliance vendors.

    I think this request sounds reasonable. I don't know how difficult it might be or what exactly you have in mind version number wise.. But I'm guessing you have a straightforward idea that could be described.
Thanks!
-Ngie