[BlueOnyx:24278] Re: 5209R logins - More code archeology

Rickard Osser rickard.osser at bluapp.com
Fri Sep 11 02:56:57 -05 2020 

Hi Michael,
You're right that the early (MIPS) products from Cobalt didn't have
SSL,actually the Qube3 and Ra3Q3 didn't have it from the beginning as
well.
Export restrictions on RSA was still enforced by the US Gov. at the
time.Cobalt had a package for SSL which they sold separately, it wasn'ẗ
integrated into the GUI and didn't givethe user an encrypted admin GUI
either. It could be set up for site usage only.
I created packages for SSL for Q2/R2 as well as Q3/R3 during this
period, Being in Europe helped a lot as wedidn't have the restrictions.
My package added GUI-pages for virtual-sites to administer SSL as well
as adding a secured GUI environment.I also got Cobalt to write info for
users doing package upgrades which contained Apache to not install the
official package but my revisedpackages as it would break the GUI
otherwise.
Best regards,
Rickard


On Fri, 2020-09-11 at 02:05 -0500, Michael Stauber wrote:
> Hi Ernie,
> > eg. normal http is port 80, so http admin was port 81    normal
> > https is port 443 so hrrps admin was port 444.
> > I am not sure when that was changed the other way around, it was
> > severalyears ago that's for certain. I prefered the original cobalt
> > ports.
> 
> Nice catch. But as for
> https://www.mail-archive.com/cobaltfacts@list.cobaltfacts.com/msg03281.html
> ... that's from 2005 and doesn't mention anything with the
> SausalitoGUI, but was a specifically catered response for a RaQ 1/2/3
> relatedquestion. And by *now* I'm sure that the info there wasn't
> correct tobegin with. For the RaQ3 that answer is definitely wrong.
> I just downloaded the Qube2 and Qube3 OS restore CD and took a look.
> Ialso found a mirror of my old data.smd.net where I had all the
> Cobaltrelated stuff hosted. I lost that data 10 years ago in a hard
> diskcrash, but I'm thankful to Arthur and Franklin for making that
> mirror,so that I can get it back now.
> Let us dive a bit into the early days: Recall that the Qube's
> werebilled as workgroup servers? They couldn't do multiple Vsites. So
> theyonly had one (primary) Vsite. It also seems like the Qube 2 (at
> least asfar as the ISO from 1997 goes) couldn't do SSL - at all.
> So as far as the Qube and Qube 2 go you had port 80 for reaching
> theprimary webpage. IF there was one. If there wasn't, then that
> would leadto a landing page that redirected to 
> http://<IP|hostname>:81, where youfound the GUI via HTTP.
> I then checked the RPM repository of the RaQ2 and although it
> *does*have OpenSSL-0.9.5a, neither Apache nor the AdmServ have any
> HTTPSprovisions. At all.
> See: http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/
> 
> So RaQ, RaQ 2, Qube, Qube 2: No SSL Apache, no SSL GUI.
> This seems to be supported by the screenshot from a PDF manual,
> whichshows a page of the RaQ 2 GUI with the URL bar *not* cropped out
> of thepicture.
> And there it says: http://bert.cobaltnet.com:81/sysManage/index.html
> 
> So HTTP and port 81.
> I couldn't find any OS restore CDs for the RaQ3 or RaQ4. So again
> let'sgo and check the mirrored RPMs instead:
> Qube2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube2/eng/RPMS/apache-conf-q2-1.0-13.noarch.rpm
> --/etc/admserv/httpd.conf----------Port 81---------------------------
> --------No SSL provisions.
> RaQ2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/apache-conf-raq2-1.0-17.noarch.rpm
> --/etc/admserv/httpd.conf----------Port 81---------------------------
> --------No SSL provisions.
> RaQ3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq3/RPMS/apache-conf-pacifica-14.noarch.rpm
> --/etc/admserv/httpd.conf----------Listen 81Listen
> 444[...]<VirtualHost _default_:444>SSLEngine off</VirtualHost>-------
> ----------------------------
> RaQ4 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq4/RPMS/apache-conf-shinkansen-4.noarch.rpm
> --/etc/admserv/httpd.conf----------Listen 81Listen
> 444[...]<VirtualHost _default_:444>SSLEngine off</VirtualHost>-------
> ----------------------------
> RaQ XTR Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raqxtr/eng/RPMS/apache-conf-monterey-23.noarch.rpm
> --/etc/admserv/httpd.conf----------Listen 81Listen
> 444[...]<VirtualHost _default_:444>SSLEngine off</VirtualHost>-------
> ----------------------------
> Qube 3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube3/OS-6.4/RPMS/apache-conf-carmel-8.noarch.rpm
> --/etc/admserv/httpd.conf----------Listen 81Listen
> 444[...]<VirtualHost _default_:444>SSLEngine off</VirtualHost>-------
> ----------------------------
> RaQ550 Apache and Admserv configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq550/RPMS/apache-conf-ptlobos-15.noarch.rpm
> --/etc/admserv/httpd.conf----------Listen 81Listen
> 444[...]<VirtualHost _default_:444>SSLEngine off</VirtualHost>-------
> ----------------------------
> From that we can deduct that starting with the Qube 3 and RaQ 3 the
> GUIused port 81 for HTTPS and port 444 for HTTP.
> Older models such as Qube, Qube 2, RaQ and RaQ 2 did NOT have SSL
> andused port 80 for Apache and 81 for the HTTP-GUI.
> Now let us look at the "WHY". Why no HTTPS and why the port
> switcheroobetween HTTP-81 to HTTPS-81:
> It sounds like ancient history, but once upon a time the US had
> exportrestrictions on cryptography. Everyone dealt differently with
> that.Microsoft invented pseudo-crypto like ROT13. And anyone else
> with morethan two functioning brain cells just didn't export
> cryptography unlessthey were legally in the clear. Shipping OpenSSL
> was apparently OK, butanything that built on top of that in a certain
> way (such as mod_ssl orthe predecessor Apache-OpenSSL) wasn't.
> Eventually the export restrictions got relaxed, though. My memory is
> abit faint about the exact year when that happened. 1998 or 1999
> seemslikely. 1998 is about the time the RaQ2 development was still
> ongoing.They might have started w/o crypto built in and it was too
> late to do sonow w/o rocking the boat too much. Also they might not
> yet have knownwhich side of the fence the ball would eventually drop.
> So the RaQ2 remained w/o crypto, but the RaQ3 got it from the start.
> TheRaQ3 "apache-openssl" RPM has its first entry in the RPM's
> changelog inAugust of 1999.
> That re-affirms the following:
> SSL only got added out of the box when the RaQ3 came out.
> Qube, Qube 2, RaQ, RaQ2: Apache HTTP port 80 and no HTTPS on port
> 443.The GUI (in HTTP-only-mode) was running on port 81.
> RaQ3, RaQ4, XTR, RaQ550, Qube3 ControlStation: HTTP-GUI on port
> 444,HTTPS-GUI at port 81.
> Why did they switch port 81 from HTTP to HTTPS? We can only guess.
> Butmy assumption is: Due to the Qube's history as workgroup server
> (andabsence of SSL) they used port 81 HTTP for the GUI initially.
> When theywere able to internationally ship with the crypto stuff pre-
> installed,they needed another port and bumped security up a notch by
> making 81HTTPS and defaulting the HTTP GUI to 444 instead.
> All in all that certainly was not an entirely logical or
> intuitivechoice. But in a way it's relatable.
> _______________________________________________Blueonyx mailing 
> listBlueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
-- 
Bluapp AB
Rickard Osser
CTO
Solberga Ängsväg 3
125 44 Älvsjö
Sweden

Web: http://www.bluapp.com
Mail: rickard.osser at bluapp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200911/fef52c2d/attachment.html>

More information about the Blueonyx mailing list