VSI-AXPVMS-SSL111-V0101-1GA-1-RNOTES.PDF

This document is the Installation Guide and Release Notes for VSI SSL111 Version 1.1-1G for OpenVMS, released April 2020. It details hardware and software prerequisites, installation instructions, post-installation tasks, application building, directory structure, and release notes.

Key points include:

1. Basis & Requirements: VSI SSL111 V1.1-1G is based on Open Source OpenSSL 1.1.1g. It requires OpenVMS Alpha server Version 8.4-1H1 or later, and approximately 170,000 disk blocks for installation. It must be installed on the system disk.
2. Coexistence & Compatibility:
   • The product name changed to SSL111 to allow it to coexist on the same system with older versions like VSI SSL V1.4 (based on OpenSSL 0.9.8) and VSI SSL1 (based on OpenSSL 1.0.2).
   • VSI SSL111 is NOT backward compatible at the API/data structure level. Applications linked with older VSI SSL versions must be recompiled and relinked against VSI SSL111 V1.1 header files and libraries to utilize its features.
   • Logical names, directory structures, command procedures, and library names for VSI SSL111 are now consistently prefixed with SSL111$ (e.g., SSL111$INCLUDE:, [VMS$COMMON.SSL111]). The common OPENSSL logical name will point to the version that was started last, requiring careful management during application builds.
3. Certificate Migration:
   • Older VSI SSL V1.4 and VSI SSL1 versions used MD5 for certificate hash names, while VSI SSL111 V1.1 uses SHA-1.
   • Users upgrading must manually migrate existing certificate stores. This involves copying certificates and renaming the certificate files to match their new SHA-1 hash, as validation will fail with SSL111 if old MD5 hash names are used.
4. Installation & Post-Installation:
   • Installation is done via $ PRODUCT INSTALL SSL111.
   • Post-installation tasks involve modifying SYS$MANAGER:SYSTARTUP.COM and SYSHUTDWN.COM to include SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM, ensuring SSL111's logicals are defined after any older SSL versions.
   • Custom changes made to older SSL/SSL1 startup/shutdown scripts or OpenSSL configuration files (OPENSSL.CNF, OPENSSL-VMS.CNF) must be manually copied to the new SSL111 locations.
   • Dependent applications must be rebuilt and relinked against VSI SSL111.
   • An Installation Verification Procedure (IVP) and a Certificate Tool (single-user only) are available.
5. Application Building: VSI SSL111 supports both 64-bit and 32-bit APIs, requiring specific compiler qualifiers (e.g., /POINTER_SIZE=64) and linking against corresponding shared libraries (SSL111$LIBSSL_SHR.EXE for 64-bit, SSL111$LIBSSL_SHR32.EXE for 32-bit).
6. Unsupported Features: IDEA, RC5, MDC2 symmetric cipher algorithms and RAND_egd related APIs are not supported due to copyright or OpenVMS limitations. RAND_poll() is used for secure random seeds.
7. Documentation & Security: OpenSSL website documentation takes precedence over local kit documentation if discrepancies exist. Certificates and private keys generated with the Certificate Tool must be properly protected using OpenVMS file protections or ACLs.