[BlueOnyx:24280] Re: 5209R logins - More code archeology

Ken Hohhof khohhof at kwom.com
Fri Sep 11 08:58:09 -05 2020 

Good luck fixing something that's been "wrong" for 20 years.  Here in the
U.S. we can't even get people to use the metric system.

It reminds me of the ship captain demanding that a lighthouse change course.
https://en.wikipedia.org/wiki/Lighthouse_and_naval_vessel_urban_legend


-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Ernie
Sent: Friday, September 11, 2020 8:27 AM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:24279] Re: 5209R logins - More code archeology

Hi Michael,
it's not hard to see what happened it's in the code comments.

Here is part of  /etc/admserv/conf/httpd.conf on a 5107R box.

# ssl is on for the admin server by default <VirtualHost _default_:444>
SSLEngine off RewriteEngine On
RewriteCond %{HTTP_HOST}                ^([^:]+)
RewriteCond %{DOCUMENT_ROOT}            !-d
RewriteRule .*                          http://%1:444/error/forbidden.html
[L,R
RewriteCond %{HTTP_HOST}                ^([^:]+)
RewriteRule ^/admin/?$                  http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST}                ^([^:]+)
RewriteRule ^/siteadmin/?$              http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST}                ^([^:]+)
RewriteRule ^/personal/?$               http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST}                ^([^:]+)
RewriteRule ^/login/?$                  http://%1:444/login.php [L,R]
</VirtualHost>


The comment says that "ssl is on for the admin server by default", hence
it's on port 444 but someone has snuck in "SSLEngine off", contridicting the
comment, and did not changed the port back to 81, so there it remains on the
wrong port for years.


- Ernie.


> Hi Ernie,
> 
> > eg. normal http is port 80, so http admin was port 81
> >     normal https is port 443 so hrrps admin was port 444.
> > 
> > I am not sure when that was changed the other way around, it was 
> > several years ago that's for certain. I prefered the original cobalt
ports.
> 
> Nice catch. But as for
> https://www.mail-archive.com/cobaltfacts@list.cobaltfacts.com/msg03281
> .html ... that's from 2005 and doesn't mention anything with the 
> Sausalito GUI, but was a specifically catered response for a RaQ 1/2/3 
> related question. And by *now* I'm sure that the info there wasn't 
> correct to begin with. For the RaQ3 that answer is definitely wrong.
> 
> I just downloaded the Qube2 and Qube3 OS restore CD and took a look. I 
> also found a mirror of my old data.smd.net where I had all the Cobalt 
> related stuff hosted. I lost that data 10 years ago in a hard disk 
> crash, but I'm thankful to Arthur and Franklin for making that mirror, 
> so that I can get it back now.
> 
> Let us dive a bit into the early days: Recall that the Qube's were 
> billed as workgroup servers? They couldn't do multiple Vsites. So they 
> only had one (primary) Vsite. It also seems like the Qube 2 (at least 
> as far as the ISO from 1997 goes) couldn't do SSL - at all.
> 
> So as far as the Qube and Qube 2 go you had port 80 for reaching the 
> primary webpage. IF there was one. If there wasn't, then that would 
> lead to a landing page that redirected to http://<IP|hostname>:81, 
> where you found the GUI via HTTP.
> 
> I then checked the RPM repository of the RaQ2 and although it *does* 
> have OpenSSL-0.9.5a, neither Apache nor the AdmServ have any HTTPS 
> provisions. At all.
> 
> See: http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/
> 
> So RaQ, RaQ 2, Qube, Qube 2: No SSL Apache, no SSL GUI.
> 
> This seems to be supported by the screenshot from a PDF manual, which 
> shows a page of the RaQ 2 GUI with the URL bar *not* cropped out of 
> the picture.
> 
> And there it says: http://bert.cobaltnet.com:81/sysManage/index.html
> 
> So HTTP and port 81.
> 
> I couldn't find any OS restore CDs for the RaQ3 or RaQ4. So again 
> let's go and check the mirrored RPMs instead:
> 
> Qube2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube2/eng/RPMS/apache
> -conf-q2-1.0-13.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Port 81
> -----------------------------------
> No SSL provisions.
> 
> RaQ2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/apache-conf
> -raq2-1.0-17.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Port 81
> -----------------------------------
> No SSL provisions.
> 
> RaQ3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq3/RPMS/apache-conf
> -pacifica-14.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
> 
> RaQ4 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq4/RPMS/apache-conf
> -shinkansen-4.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
> 
> RaQ XTR Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raqxtr/eng/RPMS/apach
> e-conf-monterey-23.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
> 
> Qube 3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube3/OS-6.4/RPMS/apa
> che-conf-carmel-8.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
> 
> RaQ550 Apache and Admserv configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq550/RPMS/apache-co
> nf-ptlobos-15.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
> 
> >From that we can deduct that starting with the Qube 3 and RaQ 3 the 
> >GUI
> used port 81 for HTTPS and port 444 for HTTP.
> 
> Older models such as Qube, Qube 2, RaQ and RaQ 2 did NOT have SSL and 
> used port 80 for Apache and 81 for the HTTP-GUI.
> 
> Now let us look at the "WHY". Why no HTTPS and why the port switcheroo 
> between HTTP-81 to HTTPS-81:
> 
> It sounds like ancient history, but once upon a time the US had export 
> restrictions on cryptography. Everyone dealt differently with that.
> Microsoft invented pseudo-crypto like ROT13. And anyone else with more 
> than two functioning brain cells just didn't export cryptography 
> unless they were legally in the clear. Shipping OpenSSL was apparently 
> OK, but anything that built on top of that in a certain way (such as 
> mod_ssl or the predecessor Apache-OpenSSL) wasn't.
> 
> Eventually the export restrictions got relaxed, though. My memory is a 
> bit faint about the exact year when that happened. 1998 or 1999 seems 
> likely. 1998 is about the time the RaQ2 development was still ongoing.
> They might have started w/o crypto built in and it was too late to do 
> so now w/o rocking the boat too much. Also they might not yet have 
> known which side of the fence the ball would eventually drop.
> 
> So the RaQ2 remained w/o crypto, but the RaQ3 got it from the start. 
> The
> RaQ3 "apache-openssl" RPM has its first entry in the RPM's changelog 
> in August of 1999.
> 
> That re-affirms the following:
> 
> SSL only got added out of the box when the RaQ3 came out.
> 
> Qube, Qube 2, RaQ, RaQ2: Apache HTTP port 80 and no HTTPS on port 443.
> The GUI (in HTTP-only-mode) was running on port 81.
> 
> RaQ3, RaQ4, XTR, RaQ550, Qube3 ControlStation: HTTP-GUI on port 444, 
> HTTPS-GUI at port 81.
> 
> Why did they switch port 81 from HTTP to HTTPS? We can only guess. But 
> my assumption is: Due to the Qube's history as workgroup server (and 
> absence of SSL) they used port 81 HTTP for the GUI initially. When 
> they were able to internationally ship with the crypto stuff 
> pre-installed, they needed another port and bumped security up a notch 
> by making 81 HTTPS and defaulting the HTTP GUI to 444 instead.
> 
> All in all that certainly was not an entirely logical or intuitive 
> choice. But in a way it's relatable.
> 
> --
> With best regards
> 
> Michael Stauber

[ Attachment, skipping... ]

[ Attachment, skipping... ]

> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list