VSI-AXPVMS-SSL111-V0101-1K-1-RNOTES.PDF

This document is the Install Guide and Release Notes for VSI SSL111 Version 1.1-1K for OpenVMS, released in March 2021. It provides details on installation, configuration, and migration from older SSL versions.

Key Information:

1. Product Basis: VSI SSL111 Version 1.1-1K for OpenVMS is based on OpenSSL version 1.1.1k from OpenSSL.org.
2. System Requirements:
   • Operating System: OpenVMS Integrity server Version 8.4-2L1 or 8.4-2L2.
   • Disk Space: Requires approximately 200,000 blocks for installation and 170,000 blocks once installed.
   • Installation Location: Must be installed on the system disk.
3. Coexistence and Backward Compatibility (Crucial):
   • VSI SSL111 is designed to coexist with older VSI SSL V1.4 (based on OpenSSL 0.9.8) and VSI SSL1 (based on OpenSSL 1.0.2).
   • To achieve this, SSL111 uses distinct naming conventions with an SSL111$ prefix for logical names, directories (e.g., SYS$SYSDEVICE:[VMS$COMMON.SSL111]), command procedures, and library names (e.g., SSL111$LIBSSL_SHR.EXE).
   • VSI SSL111 V1.1 is NOT backward compatible with previous VSI SSL versions. OpenSSL APIs, data structures, and commands have changed significantly.
   • Application Migration: Applications dependent on older VSI SSL versions MUST be recompiled and relinked against the new SSL111 header files and shareable images to utilize VSI SSL111 features.
   • Certificate Store Migration: The certificate hash algorithm changed from MD5 (in older versions) to SHA-1 (in SSL111). Users must manually rename certificate files in their store to reflect the new SHA-1 hash after copying them to the new SSL111$ROOT directory.
   • Custom Procedures: Any custom command procedures or configuration files referencing older SSL/SSL1 logicals, directories, or scripts need to be updated to use the SSL111$ prefixed versions.
4. Installation and Post-Installation Tasks:
   • Installation is done via PRODUCT INSTALL SSL111.
   • Post-installation involves updating SYS$MANAGER:SYSTARTUP_VMS.COM and SYS$MANAGER:SYSHUTDWN.COM to include SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM respectively, ensuring SSL111$STARTUP.COM runs last to correctly set the OPENSSL logical name.
   • Foreign commands for OpenSSL utilities need to be defined.
   • Users are advised to compare and merge changes from .CNF_TEMPLATE files if upgrading existing configurations.
   • An Installation Verification Procedure (IVP) is available.
5. Application Development: VSI SSL111 provides separate 64-bit and 32-bit APIs, with corresponding shareable images. Developers can choose by compiling with /POINTER_SIZE=64 for 64-bit applications.
6. Release Notes and Cautions:
   • TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES are enabled.
   • Unsupported Algorithms/APIs: IDEA, RC5, and MDC2 symmetric ciphers are not provided due to copyright. RAND_egd related APIs are unavailable; RAND_poll() should be used for secure random seeding.
   • The Certificate Tool is single-user only (no locking mechanism).
   • Users must ensure proper OpenVMS file protections or ACLs are used for certificates and private keys.
   • OpenSSL environment variables accept the ${var} format.
   • OpenSSL website documentation is considered authoritative for API details over the included kit documentation.