VSI-AXPVMS-SSL111-V0101-1DA-1-RELNOTE.PDF

This document, the VSI SSL111 Version 1.1-1D for OpenVMS Installation Guide and Release Notes (October 2019), outlines the installation, configuration, and use of VSI SSL111 on OpenVMS Alpha servers. Based on Open Source OpenSSL version 1.1.1d, this release fixes an issue where OPENSSL utility requests failed due to an undefined SSL111$DATAROOT logical.

Key Information:

• Prerequisites: Requires OpenVMS Alpha server Version 8.4-1H1 or later. Installation needs 200,000 disk blocks (170,000 installed).
• Coexistence and Incompatibility: VSI SSL111 V1.1 is not backward compatible with previous VSI SSL V1.4 or VSI SSL1 versions due to API, data structure, and command changes. However, all three versions (V1.4, V1.0.2, and V1.1.1d) can coexist on the same system as they use distinct naming conventions (logical names, command procedures, directories, and libraries are prefixed with SSL$, SSL1$, or SSL111$).

• Migration Steps (Critical for Upgrades):

  • Applications: Existing applications linked against VSI SSL V1.4 or VSI SSL1 must be recompiled and relinked with the new VSI SSL111 V1.1 header files and libraries to utilize the new version.
  • Logical Names & Scripts: Custom command procedures or startup/shutdown scripts that reference old SSL/SSL1 logical names, directories, or command procedures must be updated to use the SSL111$ prefixes. The SSL111$STARTUP.COM procedure should be invoked last to ensure the common "OPENSSL" logical name points to the latest SSL111 headers.
  • Certificate Stores: The certificate hashing algorithm has changed from MD5 (used by older SSL versions) to SHA-1. Manually created certificate files (hash.0) in existing stores must be copied to the new SSL111 directory and renamed to reflect their new SHA-1 hash to be validated by VSI SSL111.

• Installation & Post-Installation: Installation is performed via PRODUCT INSTALL SSL111 and requires installation on the system disk. Post-installation tasks involve configuring startup/shutdown procedures, defining foreign commands, and performing the necessary migration steps.

• Building Applications: VSI SSL111 provides both 64-bit and 32-bit APIs with separate shareable image files. Applications should be compiled with /POINTER_SIZE=64 for 64-bit APIs and linked with the appropriate 64-bit or 32-bit SSL111$ prefixed libraries.
• Notes & Limitations:
  • TLS1ALLOWEXPERIMENTAL_CIPHERSUITES are enabled.
  • The Certificate Tool does not support simultaneous users.
  • Users are responsible for protecting certificates and keys.
  • OpenSSL environment variables must use the ${var} format.
  • IDEA, RC5, MDC2 symmetric ciphers, and RANDegd APIs are not supported; RANDpoll() should be used for secure random seeds.
  • OpenSSL website documentation should be considered authoritative over the documentation shipped with the kit.