OT: SCO 5 6.0.0 - cURL Binaries / upgrade

Jose Lerebours fpgroups at gmail.com
Fri Mar 11 07:30:39 PST 2022 

The problem as far as non-compliant is at the filePro box - running SCO 5.

I have a cloud based gateway, if you will, which is par and fully 
patched, hence the reason SCO box
is being rejected.

As a SaaS, I provide an API that my customers use as a gateway to reach 
their CC Processing Providers, through this,
I make it easier for them to simplify their code and give them the 
ability to POST requests in a simple form and my API Server
deals with the WSDL, CURL, JSON, XML conversion up/down and reply back 
in a chosen format (json, csv, plain text ...).

The Processing company in this case has upgraded their TLS to a recent 
version, I in turn followed thru made changes in my end
to make sure my SaaS reaches them in the required version/encryption - 
Testing within my local server works well - testing my
development box (which is also up to date) works just fine but from the 
SCO box is where we are having issues.

They have so much stuff going on in the SCO box that they are reluctant 
to even change a file name on it!   I can totally understand that,
their store runs on this box and it goes well beyond their filePro 
application.

I have been suggested to look into using rsync as means to POST to my 
SaaS Server having the source file encrypted locally (@ the SCO box)
and then decrypting the file prior to POST up to Processing Company.

This suggestion may be a viable solution and data can be safely moved 
UP/DOWN the process - I was also thinking of a way to hash the CC #
and reverse that later so that the CC # is not in plain text at any 
time.  This may present another problem, given the different OSes, 
versions,
and everything else, I may not be able to siphon the hashed CC #.




On 3/11/22 10:03 AM, ken white via Filepro-list wrote:
> I wonder what version of openssl is installed.   According to openssl.org
> all versions prior to 1.1.1 are out of date and no longer supported.
> Therefore if your software is dependent on openssl, I believe that versions
> prior to 1.1.1 would be no longer be considered as PCI compliant.  Version
> 0.9.8 installed as a supplement for SCO 6.0.0  was EOL 2016.  Even version
> 1.1.1 has a few high severity CVE's listed which require patching.
> Depending on the flavor of their PCI SAQ, the responsible party signing
> their annual PCI SAQ should be very concerned.
>    
> -----Original Message-----
> From: Filepro-list
> <filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On Behalf Of
> Fairlight via Filepro-list
> Sent: Thursday, March 10, 2022 2:00 PM
> To: filepro-list at lists.celestial.com
> Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade
>
> They don't have to jump for joy.  Is it a business requirement, or is it
> someone's pet wishlist item?  If the former, it is what it is.  If the
> latter, it's optional and can be given a pass.
>
> Places can either afford to play ball in their industries, or not.  It's not
> negotiable, any more than us needing internet service, and not wantiing to
> pay for it, for instance.  It's not optional if you want the specified
> result.  If it's what's required of the business, it's required.  That's how
> 'required' works.  Happiness doesn't enter into it.
>
> God forbid someone need an ISO or SOX audit.  Those cost a mint, and I've
> never known anyone who was 'happy' to absorb the price.
> "Choiceless" is the best fitting adjective for situations like these.
>
> Nobody should be on SCO these days, if they want to take advantage of any
> open source software. libopenssl/libssl2 versions features vs restrictions
> -alone- are a compelling case for getting off of SCO, nevermind the bigger
> picture.  It's not a sustainable platform in today's security landscape,
> -especially- the way Xinuous likes to do things.  You will almost always be
> at least half a year to two years behind the curve, and God help you if a
> zero day exploit is discovered, because -they're- certainly not going to
> jump right on that.
>
> m->
>
>
> On Thu, Mar 10, 2022 at 12:07:20PM -0500, Jose Lerebours via Filepro-list
> thus spoke:
>> Thanks Mark!
>>
>> Migrating to LINUX may be the next best thing - based on your reply,
>> it is the ONLY best thing.  ;-)
>>
>> Not exactly what I was hoping to hear - I am sure they are not going
>> to jump of joy either!
>>
>> Regards,
>>
>>
>> On 3/10/22 11:26 AM, Fairlight via Filepro-list wrote:
>>> The problem isn't curl itself.  The problem is that you need a
>>> sufficiently high OpenSSL version on the system against which curl
>>> can be compiled.
>>>
>>> The only people who can truly help with this are Xinuous.  At one
>>> point a few years back, they were recommending an upgrade to their
>>> latest combo Unix platform, and had forward-looking plans to release
>>> just such an OpenSSL version (which by the time they would have
>>> gotten done would have been over six months behind reality).  They
>>> were only going to offer it for their latest version of OpenServer.
>>>
>>> It was a bad bet to wait on them.
>>>
>>> If you're serious about eCommerce, get them off SCO.  It's a dying
>>> platform for anything to do with security and interoperability.
>>>
>>> OpenSSL is also notoriously bitchy to compile, especially on SCO.
>>>
>>> Given a system with a usable devkit, I'd be willing to make the
>>> attempt, but it would -cost-, and not just a little.  $25k minimum
>>> for the attempt, succeed or fail; more on success.  That's how
>>> bitchy it tends to be, historically, and how much it would need to
>>> be made worth my time to even make the attempt in good faith, on a
>>> dead platform.  Anyone doing it for less is a fool, especially when
>>> you realise that it's going to support a credit card gateway system
>>> which will be the cornerstone of someone's business for years to
>>> come.  You get your money out of that up-front, because you'll never
>>> see another cent out of it afterwards, if you do it correctly.  At
>>> least not until the next mandatory TLS bump.  So how much do they
>>> -actually- want to do their credit card processing on SCO? :)
>>>
>>> They're better off being migrated to Linux.  Barring that, no, it
>>> wouldn't (and shouldn't) be inexpensive.
>>>
>>> m->
>>>
>>>
>>> On Thu, Mar 10, 2022 at 10:01:01AM -0500, Jose Lerebours via
> Filepro-list thus spoke:
>>>> Waaaaay off topic but I have to ask:
>>>>
>>>> I have a customer that is running on SCO 5 v6.0.0 and credit card
>>>> processing company will no longer accept TLS lesser than 1.2; it
>>>> appears that with that, we need to upgrade cURL from its current
>>>> version of 7.2.### to a more recent version.
>>>>
>>>> Do any of you (a) have a copy of cURL that would care to share
>>>> (purchasing is an option BTW), (b) know of a link where said
>>>> binaries could be found.
>>>>
>>>> Thank you all in advance for your assistance!
>>>>
>>>>
>>>> --
>>>> Jose Lerebours
>>>> 954-559-7186
>>>> https://www.asisuites.com
>>>> Accounting - Retail - Wholesale - Distribution Manufacturing -
>>>> Warehousing - Transportation - eCommerce - Web Development
>>>>
>>>> _______________________________________________
>>>> Filepro-list mailing list
>>>> Filepro-list at lists.celestial.com
>>>> Subscribe/Unsubscribe/Subscription Changes
>>>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>>>
>> --
>> Jose Lerebours
>> 954-559-7186
>> https://www.asisuites.com
>> Accounting - Retail - Wholesale - Distribution Manufacturing -
>> Warehousing - Transportation - eCommerce - Web Development
>>
>> _______________________________________________
>> Filepro-list mailing list
>> Filepro-list at lists.celestial.com
>> Subscribe/Unsubscribe/Subscription Changes
>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>
> --
> Audi omnia, crede nihil.
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list

-- 
Jose Lerebours
954-559-7186
https://www.asisuites.com
Accounting - Retail - Wholesale - Distribution
Manufacturing - Warehousing - Transportation - eCommerce - Web Development

More information about the Filepro-list mailing list