VSI-AXPVMS-SSL111-V0101-1EA-1-RELNOTES.PDF

This document is the Installation Guide and Release Notes for VSI SSL111 Version 1.1-1E for OpenVMS, released in March 2020. It covers prerequisites, installation instructions, application building, directory structure, and release notes for the product running on OpenVMS Alpha servers.

Key Points:

• Base Version: VSI SSL111 V1.1-1E is based on Open Source OpenSSL version 1.1.1e.
• Backward Incompatibility: This version is not backward compatible with previous VSI SSL V1.4 (OpenSSL 0.9.8) or VSI SSL1 (OpenSSL 1.0.2) products due to changes in APIs, data structures, and commands.

• Coexistence and Migration:

  • Older SSL versions can coexist on the same system, but applications linked against them will continue to use the older libraries.
  • To utilize VSI SSL111 V1.1 features, existing applications must be recompiled and relinked against the new SSL111 header files and libraries.
  • Crucially, certificate store migration is required: The certificate hashing algorithm has changed from MD5 (used by older versions) to SHA-1. This means existing certificate files (named by their hash) will need to be manually renamed/rehashed for VSI SSL111 to validate them.
  • System logical names (e.g., SSL$, SSL1$) and command procedures need to be updated to use the new SSL111$ prefixes.
  • Custom OpenSSL configuration files (e.g., OPENSSL.CNF) should also be copied and updated.

• System Requirements: Requires VSI OpenVMS Alpha server Version 8.4-1H1 or later. It needs approximately 200,000 disk blocks for installation (170,000 installed).

• Installation: Installed using the $ PRODUCT INSTALL SSL111 command. It must be installed on the system disk. For clustered environments, SSL111 must be shut down on all nodes before installation and started on all nodes afterwards.
• Application Development: Supports both 64-bit and 32-bit APIs. Applications can be compiled for 64-bit using the /POINTER_SIZE=64 qualifier.
• Resolved Issues: Addresses issues with C++ compilers not understanding pragmas in certain header files and challenges with resolving symbol names longer than 31 characters.
• Limitations: TLS1ALLOWEXPERIMENTALCIPHERSUITES are enabled. IDEA, RC5, and MDC2 symmetric cipher algorithms, along with RANDegd APIs, are not supported. The Certificate Tool is single-user. OpenSSL documentation is UNIX-centric, requiring adaptation for OpenVMS file and directory formats.