[BlueOnyx:24277] Re: 5209R logins - More code archeology

Fri Sep 11 02:05:08 -05 2020

Hi Ernie,

> eg. normal http is port 80, so http admin was port 81
>     normal https is port 443 so hrrps admin was port 444.
> 
> I am not sure when that was changed the other way around, it was several
> years ago that's for certain. I prefered the original cobalt ports.

Nice catch. But as for
https://www.mail-archive.com/cobaltfacts@list.cobaltfacts.com/msg03281.html
... that's from 2005 and doesn't mention anything with the Sausalito
GUI, but was a specifically catered response for a RaQ 1/2/3 related
question. And by *now* I'm sure that the info there wasn't correct to
begin with. For the RaQ3 that answer is definitely wrong.

I just downloaded the Qube2 and Qube3 OS restore CD and took a look. I
also found a mirror of my old data.smd.net where I had all the Cobalt
related stuff hosted. I lost that data 10 years ago in a hard disk
crash, but I'm thankful to Arthur and Franklin for making that mirror,
so that I can get it back now.

Let us dive a bit into the early days: Recall that the Qube's were
billed as workgroup servers? They couldn't do multiple Vsites. So they
only had one (primary) Vsite. It also seems like the Qube 2 (at least as
far as the ISO from 1997 goes) couldn't do SSL - at all.

So as far as the Qube and Qube 2 go you had port 80 for reaching the
primary webpage. IF there was one. If there wasn't, then that would lead
to a landing page that redirected to http://<IP|hostname>:81, where you
found the GUI via HTTP.

I then checked the RPM repository of the RaQ2 and although it *does*
have OpenSSL-0.9.5a, neither Apache nor the AdmServ have any HTTPS
provisions. At all.

See: http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/

So RaQ, RaQ 2, Qube, Qube 2: No SSL Apache, no SSL GUI.

This seems to be supported by the screenshot from a PDF manual, which
shows a page of the RaQ 2 GUI with the URL bar *not* cropped out of the
picture.

And there it says: http://bert.cobaltnet.com:81/sysManage/index.html

So HTTP and port 81.

I couldn't find any OS restore CDs for the RaQ3 or RaQ4. So again let's
go and check the mirrored RPMs instead:

Qube2 Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/qube2/eng/RPMS/apache-conf-q2-1.0-13.noarch.rpm
--/etc/admserv/httpd.conf----------
Port 81
-----------------------------------
No SSL provisions.

RaQ2 Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/apache-conf-raq2-1.0-17.noarch.rpm
--/etc/admserv/httpd.conf----------
Port 81
-----------------------------------
No SSL provisions.

RaQ3 Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/raq3/RPMS/apache-conf-pacifica-14.noarch.rpm
--/etc/admserv/httpd.conf----------
Listen 81
Listen 444
[...]
<VirtualHost _default_:444>
SSLEngine off
</VirtualHost>
-----------------------------------

RaQ4 Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/raq4/RPMS/apache-conf-shinkansen-4.noarch.rpm
--/etc/admserv/httpd.conf----------
Listen 81
Listen 444
[...]
<VirtualHost _default_:444>
SSLEngine off
</VirtualHost>
-----------------------------------

RaQ XTR Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/raqxtr/eng/RPMS/apache-conf-monterey-23.noarch.rpm
--/etc/admserv/httpd.conf----------
Listen 81
Listen 444
[...]
<VirtualHost _default_:444>
SSLEngine off
</VirtualHost>
-----------------------------------

Qube 3 Apache and AdmServ configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/qube3/OS-6.4/RPMS/apache-conf-carmel-8.noarch.rpm
--/etc/admserv/httpd.conf----------
Listen 81
Listen 444
[...]
<VirtualHost _default_:444>
SSLEngine off
</VirtualHost>
-----------------------------------

RaQ550 Apache and Admserv configs:
http://data.blueonyx.biz/ftp.cobalt.com/products/raq550/RPMS/apache-conf-ptlobos-15.noarch.rpm
--/etc/admserv/httpd.conf----------
Listen 81
Listen 444
[...]
<VirtualHost _default_:444>
SSLEngine off
</VirtualHost>
-----------------------------------

>From that we can deduct that starting with the Qube 3 and RaQ 3 the GUI
used port 81 for HTTPS and port 444 for HTTP.

Older models such as Qube, Qube 2, RaQ and RaQ 2 did NOT have SSL and
used port 80 for Apache and 81 for the HTTP-GUI.

Now let us look at the "WHY". Why no HTTPS and why the port switcheroo
between HTTP-81 to HTTPS-81:

It sounds like ancient history, but once upon a time the US had export
restrictions on cryptography. Everyone dealt differently with that.
Microsoft invented pseudo-crypto like ROT13. And anyone else with more
than two functioning brain cells just didn't export cryptography unless
they were legally in the clear. Shipping OpenSSL was apparently OK, but
anything that built on top of that in a certain way (such as mod_ssl or
the predecessor Apache-OpenSSL) wasn't.

Eventually the export restrictions got relaxed, though. My memory is a
bit faint about the exact year when that happened. 1998 or 1999 seems
likely. 1998 is about the time the RaQ2 development was still ongoing.
They might have started w/o crypto built in and it was too late to do so
now w/o rocking the boat too much. Also they might not yet have known
which side of the fence the ball would eventually drop.

So the RaQ2 remained w/o crypto, but the RaQ3 got it from the start. The
RaQ3 "apache-openssl" RPM has its first entry in the RPM's changelog in
August of 1999.

That re-affirms the following:

SSL only got added out of the box when the RaQ3 came out.

Qube, Qube 2, RaQ, RaQ2: Apache HTTP port 80 and no HTTPS on port 443.
The GUI (in HTTP-only-mode) was running on port 81.

RaQ3, RaQ4, XTR, RaQ550, Qube3 ControlStation: HTTP-GUI on port 444,
HTTPS-GUI at port 81.

Why did they switch port 81 from HTTP to HTTPS? We can only guess. But
my assumption is: Due to the Qube's history as workgroup server (and
absence of SSL) they used port 81 HTTP for the GUI initially. When they
were able to internationally ship with the crypto stuff pre-installed,
they needed another port and bumped security up a notch by making 81
HTTPS and defaulting the HTTP GUI to 444 instead.

All in all that certainly was not an entirely logical or intuitive
choice. But in a way it's relatable.

-- 
With best regards

Michael Stauber
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Qube3-gui.png
Type: image/png
Size: 166905 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200911/403a37da/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RaQ2-GUI.png
Type: image/png
Size: 189027 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200911/403a37da/attachment-0001.png>