OT: SCO 5 6.0.0 - cURL Binaries / upgrade

Brian K. White bw.aljex at gmail.com
Fri Mar 11 17:28:28 PST 2022 

If the connection between the new and old machines secure, that probably 
suffices.

Reasoning:

Lets's say the sco box is actually a vm on the linux box, and the vm has 
no net access, and files are handed to the sco box by files on a common 
filesystem. I think you could honestly say that the connection was 
secure. What happens on the box is not really any different than any 
other local application that processes the data. In this case the 
connection between the new and old boxes is some form of ipc. shared 
files, fifos, shm, maybe even tcp localhost.

Assuming that flies, now say the sco box is on a separate machine 
connected by a lan with no other devices on that lan. Who cares, and 
what would be the justification for caring, if the connection was plain 
ftp or plain raw tcp socket?

Finally, a compliant vpn should be no different from that hardware wire. 
You'd just probably need to add a hardware vpn since you would run into 
the same library problem trying to set up any kind of vpn client on the 
sco box.

I'd probably just migrate unless there was some real intractable problem 
with the existing software. Even if there was, I'd still probably clone 
the system to a vm, even if *that* also was a a fair project, because 
that gets you all the bridge time you want. You can use the linux host 
for whatever special new problems come up like this, and you can work on 
the larger/longer task of bringing up new linux native versions of 
everything on the host at your leisure, and flip the switch to go live 
on the new stuff sometime way later whenever you're ready. In the mean 
time, you're also better protected against hardware failures and 
changing hardware.

-- 
bkw


n 3/11/22 11:08, Fairlight via Filepro-list wrote:
> Honestly, based on what you just said, and what Bill suggested, I'm not
> convinced that just interjecting a system in the middle is sufficient.
>
> Sure, the gateway company will be satisfied.
>
> You still would have a link in the chain which is not PCI compliant.
> That's a problem, legally speaking.  If anyone ever found out, you'd be
> boned.  EVERY hop in the chain needs to be compliant.
>
> m->
>
>
> On Fri, Mar 11, 2022 at 10:30:39AM -0500, Jose Lerebours via Filepro-list thus spoke:
>> The problem as far as non-compliant is at the filePro box - running SCO 5.
>>
>> I have a cloud based gateway, if you will, which is par and fully patched,
>> hence the reason SCO box
>> is being rejected.
>>
>> As a SaaS, I provide an API that my customers use as a gateway to reach
>> their CC Processing Providers, through this,
>> I make it easier for them to simplify their code and give them the ability
>> to POST requests in a simple form and my API Server
>> deals with the WSDL, CURL, JSON, XML conversion up/down and reply back in a
>> chosen format (json, csv, plain text ...).
>>
>> The Processing company in this case has upgraded their TLS to a recent
>> version, I in turn followed thru made changes in my end
>> to make sure my SaaS reaches them in the required version/encryption -
>> Testing within my local server works well - testing my
>> development box (which is also up to date) works just fine but from the SCO
>> box is where we are having issues.
>>
>> They have so much stuff going on in the SCO box that they are reluctant to
>> even change a file name on it!   I can totally understand that,
>> their store runs on this box and it goes well beyond their filePro
>> application.
>>
>> I have been suggested to look into using rsync as means to POST to my SaaS
>> Server having the source file encrypted locally (@ the SCO box)
>> and then decrypting the file prior to POST up to Processing Company.
>>
>> This suggestion may be a viable solution and data can be safely moved
>> UP/DOWN the process - I was also thinking of a way to hash the CC #
>> and reverse that later so that the CC # is not in plain text at any time.
>> This may present another problem, given the different OSes, versions,
>> and everything else, I may not be able to siphon the hashed CC #.
>>
>>
>>
>>
>> On 3/11/22 10:03 AM, ken white via Filepro-list wrote:
>>> I wonder what version of openssl is installed.   According to openssl.org
>>> all versions prior to 1.1.1 are out of date and no longer supported.
>>> Therefore if your software is dependent on openssl, I believe that versions
>>> prior to 1.1.1 would be no longer be considered as PCI compliant.  Version
>>> 0.9.8 installed as a supplement for SCO 6.0.0  was EOL 2016.  Even version
>>> 1.1.1 has a few high severity CVE's listed which require patching.
>>> Depending on the flavor of their PCI SAQ, the responsible party signing
>>> their annual PCI SAQ should be very concerned.
>>> -----Original Message-----
>>> From: Filepro-list
>>> <filepro-list-bounces+kenwhite=verizon.net at lists.celestial.com> On Behalf Of
>>> Fairlight via Filepro-list
>>> Sent: Thursday, March 10, 2022 2:00 PM
>>> To: filepro-list at lists.celestial.com
>>> Subject: Re: OT: SCO 5 6.0.0 - cURL Binaries / upgrade
>>>
>>> They don't have to jump for joy.  Is it a business requirement, or is it
>>> someone's pet wishlist item?  If the former, it is what it is.  If the
>>> latter, it's optional and can be given a pass.
>>>
>>> Places can either afford to play ball in their industries, or not.  It's not
>>> negotiable, any more than us needing internet service, and not wantiing to
>>> pay for it, for instance.  It's not optional if you want the specified
>>> result.  If it's what's required of the business, it's required.  That's how
>>> 'required' works.  Happiness doesn't enter into it.
>>>
>>> God forbid someone need an ISO or SOX audit.  Those cost a mint, and I've
>>> never known anyone who was 'happy' to absorb the price.
>>> "Choiceless" is the best fitting adjective for situations like these.
>>>
>>> Nobody should be on SCO these days, if they want to take advantage of any
>>> open source software. libopenssl/libssl2 versions features vs restrictions
>>> -alone- are a compelling case for getting off of SCO, nevermind the bigger
>>> picture.  It's not a sustainable platform in today's security landscape,
>>> -especially- the way Xinuous likes to do things.  You will almost always be
>>> at least half a year to two years behind the curve, and God help you if a
>>> zero day exploit is discovered, because -they're- certainly not going to
>>> jump right on that.
>>>
>>> m->
>>>
>>>
>>> On Thu, Mar 10, 2022 at 12:07:20PM -0500, Jose Lerebours via Filepro-list
>>> thus spoke:
>>>> Thanks Mark!
>>>>
>>>> Migrating to LINUX may be the next best thing - based on your reply,
>>>> it is the ONLY best thing.  ;-)
>>>>
>>>> Not exactly what I was hoping to hear - I am sure they are not going
>>>> to jump of joy either!
>>>>
>>>> Regards,
>>>>
>>>>
>>>> On 3/10/22 11:26 AM, Fairlight via Filepro-list wrote:
>>>>> The problem isn't curl itself.  The problem is that you need a
>>>>> sufficiently high OpenSSL version on the system against which curl
>>>>> can be compiled.
>>>>>
>>>>> The only people who can truly help with this are Xinuous.  At one
>>>>> point a few years back, they were recommending an upgrade to their
>>>>> latest combo Unix platform, and had forward-looking plans to release
>>>>> just such an OpenSSL version (which by the time they would have
>>>>> gotten done would have been over six months behind reality).  They
>>>>> were only going to offer it for their latest version of OpenServer.
>>>>>
>>>>> It was a bad bet to wait on them.
>>>>>
>>>>> If you're serious about eCommerce, get them off SCO.  It's a dying
>>>>> platform for anything to do with security and interoperability.
>>>>>
>>>>> OpenSSL is also notoriously bitchy to compile, especially on SCO.
>>>>>
>>>>> Given a system with a usable devkit, I'd be willing to make the
>>>>> attempt, but it would -cost-, and not just a little.  $25k minimum
>>>>> for the attempt, succeed or fail; more on success.  That's how
>>>>> bitchy it tends to be, historically, and how much it would need to
>>>>> be made worth my time to even make the attempt in good faith, on a
>>>>> dead platform.  Anyone doing it for less is a fool, especially when
>>>>> you realise that it's going to support a credit card gateway system
>>>>> which will be the cornerstone of someone's business for years to
>>>>> come.  You get your money out of that up-front, because you'll never
>>>>> see another cent out of it afterwards, if you do it correctly.  At
>>>>> least not until the next mandatory TLS bump.  So how much do they
>>>>> -actually- want to do their credit card processing on SCO? :)
>>>>>
>>>>> They're better off being migrated to Linux.  Barring that, no, it
>>>>> wouldn't (and shouldn't) be inexpensive.
>>>>>
>>>>> m->
>>>>>
>>>>>
>>>>> On Thu, Mar 10, 2022 at 10:01:01AM -0500, Jose Lerebours via
>>> Filepro-list thus spoke:
>>>>>> Waaaaay off topic but I have to ask:
>>>>>>
>>>>>> I have a customer that is running on SCO 5 v6.0.0 and credit card
>>>>>> processing company will no longer accept TLS lesser than 1.2; it
>>>>>> appears that with that, we need to upgrade cURL from its current
>>>>>> version of 7.2.### to a more recent version.
>>>>>>
>>>>>> Do any of you (a) have a copy of cURL that would care to share
>>>>>> (purchasing is an option BTW), (b) know of a link where said
>>>>>> binaries could be found.
>>>>>>
>>>>>> Thank you all in advance for your assistance!
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jose Lerebours
>>>>>> 954-559-7186
>>>>>> https://www.asisuites.com
>>>>>> Accounting - Retail - Wholesale - Distribution Manufacturing -
>>>>>> Warehousing - Transportation - eCommerce - Web Development
>>>>>>
>>>>>> _______________________________________________
>>>>>> Filepro-list mailing list
>>>>>> Filepro-list at lists.celestial.com
>>>>>> Subscribe/Unsubscribe/Subscription Changes
>>>>>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>>>>>
>>>> --
>>>> Jose Lerebours
>>>> 954-559-7186
>>>> https://www.asisuites.com
>>>> Accounting - Retail - Wholesale - Distribution Manufacturing -
>>>> Warehousing - Transportation - eCommerce - Web Development
>>>>
>>>> _______________________________________________
>>>> Filepro-list mailing list
>>>> Filepro-list at lists.celestial.com
>>>> Subscribe/Unsubscribe/Subscription Changes
>>>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>>>
>>> --
>>> Audi omnia, crede nihil.
>>> _______________________________________________
>>> Filepro-list mailing list
>>> Filepro-list at lists.celestial.com
>>> Subscribe/Unsubscribe/Subscription Changes
>>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>>
>>> _______________________________________________
>>> Filepro-list mailing list
>>> Filepro-list at lists.celestial.com
>>> Subscribe/Unsubscribe/Subscription Changes
>>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>> -- 
>> Jose Lerebours
>> 954-559-7186
>> https://www.asisuites.com
>> Accounting - Retail - Wholesale - Distribution
>> Manufacturing - Warehousing - Transportation - eCommerce - Web Development
>>
>> _______________________________________________
>> Filepro-list mailing list
>> Filepro-list at lists.celestial.com
>> Subscribe/Unsubscribe/Subscription Changes
>> http://mailman.celestial.com/mailman/listinfo/filepro-list
>>

More information about the Filepro-list mailing list