VSI-AXPVMS-SSL1-V0100-2TA-1-RELNOTES.PDF

This document outlines the release notes for VSI SSL1 for OpenVMS V1.0-2TA, released in October 2019. This version is based on OpenSSL 1.0.2T and is designed to coexist with VSI SSL V1.4-503, allowing applications dependent on either version to run on the same system.

Key information and post-installation activities include:

• Coexistence Configuration:

  • Ensure SSL1 startup and logical name creation files are executed.
  • The SSL1$STARTUP.COM command procedure must be invoked after SSL$STARTUP.COM to ensure the common "OPENSSL" logical name points to the latest VSI SSL1 1.0-2TA header files.
  • SSL1$SHUTDOWN.COM should be added to SYS$MANAGER:SYSHUTDWN.COM, conditionally invoking SSL$SHUTDOWN.COM if present.

• Migration of Site-Specific Changes: If upgrading from VSI SSL V1.4-503, any manual site-specific changes made to startup/shutdown procedures (e.g., SSL$COM:SSL$SYSTARTUP.COM, SSL$COM:SSL$SHUTDOWN.COM) and OpenSSL configuration files (e.g., OPENSSL.CNF, OPENSSL-VMS.CNF) must be migrated and copied to their respective SSL1 counterparts.

• Installation Verification Program (IVP): The IVP runs automatically during installation (unless /NOTEST is used) and can be manually executed using $ @SYS$TEST:SSL1$IVP.COM.
• Removing SSL1: Use the command $ PRODUCT REMOVE SSL1. Note that some generated files, such as IVP logs and certificates, may remain.
• Certificate Store Migration (Critical):
  • The top-level directory structure for VSI SSL1 V1.0 has changed from SYS$SYSDEVICE:[VMS$COMMON.SSL] to SYS$SYSDEVICE:[VMS$COMMON.SSL1]. Any manually created certificate stores need to be copied to the new location.
  • A significant change is the hash algorithm for certificate names, which has shifted from MD5 (used by HP SSL V1.4/V1.3) to SHA-1 (used by VSI SSL1 V1.0).
  • If existing certificates were named using the MD5 hash (e.g., 438F16D6.0), their validation will fail. These certificate files must be manually renamed to use the new SHA-1 hash (e.g., 37d8de08.0) and copied to the SSL1$ROOT:[DEMOCA.CERTS] directory. The document provides examples on how to obtain the new SHA-1 hash using openssl x509 -hash.
  • After migrating, old MD5-hashed certificate files can be deleted.