« Clouds? All the time, even Sunday Morning | Main | Advice on keys for 3000s, and KSAM files »

October 25, 2017

OpenSSL's gaps for 3000s surface again

HP did its best, considering what was left of the MPE/iX lab budget, to move the server into modern security protocols. Much of the work was done after the company announced it would end its 3000 business. The gaps in that work are still being being talked about today.

OpensslA message on the 3000 newsgroup-mailing list noted that installing the SFTP package for the 3000 uncovers one gap in software. John Clogg at Cerro Wire said that "I successfully generated a key pair and loaded the public key on the server, but that didn't solve the No key exchange algorithm problem. One posting I found seemed to suggest that the problem was an old version of the SSL library that did not support the encryption the server was trying to use." A note on enabling the 3000's OpenSSL from 2010 still wished for a library newer than what's left on MPE/iX.

The work that remains to be done—so a 3000 can pass sensitive info via SFTP—has been on a community wish list for many years. Backups using SFTP are missing some updates needed to the SSL library. At least the server's got a way to preserve file characteristics: filecode, recsize, blockfactor, type. Preservation of these attributes means a file can be moved to any offsite storage that could communicate with the MPE/iX system. Posix on MPE/iX comes to the rescue.

In the heart of the financial industry in 2003, a modest-sized HP 3000 connected to more than 100 customers through a secure Internet proxy server. That encryption combination was emerging as HP went into its last quarter of sales for the system. But today's standards are miles ahead of those of 2003.

"The old OpenSSL library does not support the ciphers needed to meet current standards," Clogg said. "I was able to make the connection work because the FTP service provider has a configuration setting to enable "insecure old ciphers." Fortunately, this will work for our purposes, but it would be unacceptable if we were transferring banking, credit card or PII data."

The 3000's OpenSSL library is older than 1.01e, which another homesteader says is the cutoff for security that protects from the Heartbleed hacks and RSA key generation compromises.

James Byrne of Hart & Lyne said

The appropriate fix is to update the SFTP client software and associated OpenSSL libraries to versions which possess the high grade key exchange algorithms required by the sshd server. But given the stage of life the HP 3000 has entered, that may not be possible.

We handled a similar problem some time in the past by setting up a Linux host to act as an SFTP proxy. We connected the HP 3000 to the proxy via a cross-over cable to a NIC devoted solely to the HP 3000. Files were then securely transferred between the proxy and the HP 3000 via plain old FTP.

Clogg hoped that "Maybe some porting guru will do a port of the current SSH and SSL libraries someday. In the meantime, James' use of an intermediate server is probably the best solution."

07:40 PM in Hidden Value, Homesteading | Permalink

Bookmark and Share

Use our search engine to find 20 years
of HP 3000 news and articles

Comments

Comments

The comments to this entry are closed.