VSI-AXPVMS-SSL1-V0100-2UA-1-RELNOTES.PDF

This document provides release notes for VSI SSL1 V1.0-2UA for OpenVMS, based on OpenSSL 1.0.2u, released in January 2020.

Key points include:

• Co-existence: VSI SSL1 V1.0 is designed to co-exist with VSI SSL 1.4.

• Post-Installation Activities:

  • Startup/Shutdown Integration: If OpenVMS startup procedures (SYSTARTUP_VMS.COM) already invoke SSL scripts (for VSI SSL1 V1.0 or VSI SSL V1.4), these should be updated to conditionally invoke both SSL$STARTUP.COM and SSL1$STARTUP.COM. Crucially, SSL1$STARTUP.COM must be invoked after SSL$STARTUP.COM to ensure the OPENSSL logical points to the latest VSI SSL1 1.0 header files. Similar updates are required for system shutdown (SYSHUTDWN.COM).
  • Configuration Migration: Any manual changes made to site-specific SSL startup/shutdown command procedures (e.g., SSL$COM:SSL$SYSTARTUP.COM) and OpenSSL configuration files (OPENSSL.CNF, OPENSSL-VMS.CNF) must be copied from the old SSL$ROOT to the new SSL1$ROOT directory structure.
  • New Directory Structure: VSI SSL1 V1.0 introduces a modified top-level directory structure, moving from SYS$SYSDEVICE:[VMS$COMMON.SSL] to SYS$SYSDEVICE:[VMS$COMMON.SSL1].
  • Critical Certificate Store Migration: The most significant change when migrating from HP SSL V1.4 (or V1.3) to VSI SSL1 V1.0 is the change in the certificate hash algorithm from MD5 to SHA-1. This impacts certificate filenames in the store. Users must:
    1. Copy their existing certificate store (e.g., [DEMOCA.CERTS]) to the new SSL1$ROOT directory.
    2. For each certificate, use the openssl x509 -hash command to determine its new SHA-1 hash.
    3. Rename the certificate file in the SSL1$ROOT store to use this new SHA-1 hash as its filename (e.g., a file named 438F16D6.0 based on MD5 will need to be renamed to 37d8de08.0 based on SHA-1). Failing to rename will cause certificate validation to fail.
    4. Older MD5-hashed certificate files can be deleted once they are no longer in use by HP SSL V1.4.
  • Installation Verification Procedure (IVP): Normally executed during installation, it can be run manually using @ SYS$TEST:SSL1$IVP.COM.

• Removal: The product can be removed using PRODUCT REMOVE SSL1, though some generated files (logs, certificates) may remain.