OT: SCO 5 6.0.0 - cURL Binaries / upgrade
Fairlight
fairlite at fairlite.com
Fri Mar 11 08:08:32 PST 2022
Honestly, based on what you just said, and what Bill suggested, I'm not
convinced that just interjecting a system in the middle is sufficient.
Sure, the gateway company will be satisfied.
You still would have a link in the chain which is not PCI compliant.
That's a problem, legally speaking. If anyone ever found out, you'd be
boned. EVERY hop in the chain needs to be compliant.
m->
On Fri, Mar 11, 2022 at 10:30:39AM -0500, Jose Lerebours via Filepro-list thus spoke:
> The problem as far as non-compliant is at the filePro box - running SCO 5.
>
> I have a cloud based gateway, if you will, which is par and fully patched,
> hence the reason SCO box
> is being rejected.
>
> As a SaaS, I provide an API that my customers use as a gateway to reach
> their CC Processing Providers, through this,
> I make it easier for them to simplify their code and give them the ability
> to POST requests in a simple form and my API Server
> deals with the WSDL, CURL, JSON, XML conversion up/down and reply back in a
> chosen format (json, csv, plain text ...).
>
> The Processing company in this case has upgraded their TLS to a recent
> version, I in turn followed thru made changes in my end
> to make sure my SaaS reaches them in the required version/encryption -
> Testing within my local server works well - testing my
> development box (which is also up to date) works just fine but from the SCO
> box is where we are having issues.
>
> They have so much stuff going on in the SCO box that they are reluctant to
> even change a file name on it! I can totally understand that,
> their store runs on this box and it goes well beyond their filePro
> application.
>
> I have been suggested to look into using rsync as means to POST to my SaaS
> Server having the source file encrypted locally (@ the SCO box)
> and then decrypting the file prior to POST up to Processing Company.
>
> This suggestion may be a viable solution and data can be safely moved
> UP/DOWN the process - I was also thinking of a way to hash the CC #
> and reverse that later so that the CC # is not in plain text at any time.
> This may present another problem, given the different OSes, versions,
> and everything else, I may not be able to siphon the hashed CC #.
>
>
>
>
> On 3/11/22 10:03 AM, ken white via Filepro-list wrote:
> > I wonder what version of openssl is installed. According to openssl.org
> > all versions prior to 1.1.1 are out of date and no longer supported.
> > Therefore if your software is dependent on openssl, I believe that versions
> > prior to 1.1.1 would be no longer be considered as PCI compliant. Version
> > 0.9.8 installed as a supplement for SCO 6.0.0 was EOL 2016. Even version
> > 1.1.1 has a few high severity CVE's listed which require patching.
> > Depending on the flavor of their PCI SAQ, the responsible party signing
> > their annual PCI SAQ should be very concerned.
> > -----Original Message-----
> > From: Filepro-list
> > <filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On Behalf Of
> > Fairlight via Filepro-list
> > Sent: Thursday, March 10, 2022 2:00 PM
> > To: filepro-list at lists.celestial.com
> > Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade
> >
> > They don't have to jump for joy. Is it a business requirement, or is it
> > someone's pet wishlist item? If the former, it is what it is. If the
> > latter, it's optional and can be given a pass.
> >
> > Places can either afford to play ball in their industries, or not. It's not
> > negotiable, any more than us needing internet service, and not wantiing to
> > pay for it, for instance. It's not optional if you want the specified
> > result. If it's what's required of the business, it's required. That's how
> > 'required' works. Happiness doesn't enter into it.
> >
> > God forbid someone need an ISO or SOX audit. Those cost a mint, and I've
> > never known anyone who was 'happy' to absorb the price.
> > "Choiceless" is the best fitting adjective for situations like these.
> >
> > Nobody should be on SCO these days, if they want to take advantage of any
> > open source software. libopenssl/libssl2 versions features vs restrictions
> > -alone- are a compelling case for getting off of SCO, nevermind the bigger
> > picture. It's not a sustainable platform in today's security landscape,
> > -especially- the way Xinuous likes to do things. You will almost always be
> > at least half a year to two years behind the curve, and God help you if a
> > zero day exploit is discovered, because -they're- certainly not going to
> > jump right on that.
> >
> > m->
> >
> >
> > On Thu, Mar 10, 2022 at 12:07:20PM -0500, Jose Lerebours via Filepro-list
> > thus spoke:
> > > Thanks Mark!
> > >
> > > Migrating to LINUX may be the next best thing - based on your reply,
> > > it is the ONLY best thing. ;-)
> > >
> > > Not exactly what I was hoping to hear - I am sure they are not going
> > > to jump of joy either!
> > >
> > > Regards,
> > >
> > >
> > > On 3/10/22 11:26 AM, Fairlight via Filepro-list wrote:
> > > > The problem isn't curl itself. The problem is that you need a
> > > > sufficiently high OpenSSL version on the system against which curl
> > > > can be compiled.
> > > >
> > > > The only people who can truly help with this are Xinuous. At one
> > > > point a few years back, they were recommending an upgrade to their
> > > > latest combo Unix platform, and had forward-looking plans to release
> > > > just such an OpenSSL version (which by the time they would have
> > > > gotten done would have been over six months behind reality). They
> > > > were only going to offer it for their latest version of OpenServer.
> > > >
> > > > It was a bad bet to wait on them.
> > > >
> > > > If you're serious about eCommerce, get them off SCO. It's a dying
> > > > platform for anything to do with security and interoperability.
> > > >
> > > > OpenSSL is also notoriously bitchy to compile, especially on SCO.
> > > >
> > > > Given a system with a usable devkit, I'd be willing to make the
> > > > attempt, but it would -cost-, and not just a little. $25k minimum
> > > > for the attempt, succeed or fail; more on success. That's how
> > > > bitchy it tends to be, historically, and how much it would need to
> > > > be made worth my time to even make the attempt in good faith, on a
> > > > dead platform. Anyone doing it for less is a fool, especially when
> > > > you realise that it's going to support a credit card gateway system
> > > > which will be the cornerstone of someone's business for years to
> > > > come. You get your money out of that up-front, because you'll never
> > > > see another cent out of it afterwards, if you do it correctly. At
> > > > least not until the next mandatory TLS bump. So how much do they
> > > > -actually- want to do their credit card processing on SCO? :)
> > > >
> > > > They're better off being migrated to Linux. Barring that, no, it
> > > > wouldn't (and shouldn't) be inexpensive.
> > > >
> > > > m->
> > > >
> > > >
> > > > On Thu, Mar 10, 2022 at 10:01:01AM -0500, Jose Lerebours via
> > Filepro-list thus spoke:
> > > > > Waaaaay off topic but I have to ask:
> > > > >
> > > > > I have a customer that is running on SCO 5 v6.0.0 and credit card
> > > > > processing company will no longer accept TLS lesser than 1.2; it
> > > > > appears that with that, we need to upgrade cURL from its current
> > > > > version of 7.2.### to a more recent version.
> > > > >
> > > > > Do any of you (a) have a copy of cURL that would care to share
> > > > > (purchasing is an option BTW), (b) know of a link where said
> > > > > binaries could be found.
> > > > >
> > > > > Thank you all in advance for your assistance!
> > > > >
> > > > >
> > > > > --
> > > > > Jose Lerebours
> > > > > 954-559-7186
> > > > > https://www.asisuites.com
> > > > > Accounting - Retail - Wholesale - Distribution Manufacturing -
> > > > > Warehousing - Transportation - eCommerce - Web Development
> > > > >
> > > > > _______________________________________________
> > > > > Filepro-list mailing list
> > > > > Filepro-list at lists.celestial.com
> > > > > Subscribe/Unsubscribe/Subscription Changes
> > > > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > > > >
> > > --
> > > Jose Lerebours
> > > 954-559-7186
> > > https://www.asisuites.com
> > > Accounting - Retail - Wholesale - Distribution Manufacturing -
> > > Warehousing - Transportation - eCommerce - Web Development
> > >
> > > _______________________________________________
> > > Filepro-list mailing list
> > > Filepro-list at lists.celestial.com
> > > Subscribe/Unsubscribe/Subscription Changes
> > > http://mailman.celestial.com/mailman/listinfo/filepro-list
> > >
> > --
> > Audi omnia, crede nihil.
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
>
> --
> Jose Lerebours
> 954-559-7186
> https://www.asisuites.com
> Accounting - Retail - Wholesale - Distribution
> Manufacturing - Warehousing - Transportation - eCommerce - Web Development
>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
>
--
Audi omnia, crede nihil.
More information about the Filepro-list
mailing list