VSI-I64VMS-SSL111-V0101-1EA-1-RELNOTES.PDF

This document serves as the Installation Guide and Release Notes for VSI SSL111 Version 1.1-1E for OpenVMS, released in March 2020. It targets OpenVMS Integrity servers and is based on Open Source OpenSSL version 1.1.1e.

Key aspects covered include:

1. Scope and Purpose: It details hardware/software prerequisites, installation instructions, post-installation tasks, application building, directory structure, and release notes.
2. Prerequisites: Requires VSI OpenVMS Integrity server Version 8.4-1H1 or later, and approximately 200,000 blocks of disk space for installation (170,000 blocks installed).
3. Backward Compatibility & Migration: VSI SSL111 V1.1-1E is not backward compatible with previous VSI SSL V1.4 (OpenSSL 0.9.8) or VSI SSL1 (OpenSSL 1.0.2) versions.
   • Application Migration: Applications linked with older VSI SSL versions must be recompiled and relinked against the new SSL111 header files and shareable images due to API, data structure, and command changes.
   • Coexistence: Older and newer versions can coexist, but new components (logical names, directories, command procedures, libraries) are prefixed with SSL111$ (e.g., SSL111$INCLUDE, SYS$SHARE:SSL111$LIBSSL_SHR.EXE). The common OPENSSL logical name will point to the last started version.
   • Certificate Store Migration: Certificates created with older VSI SSL versions need to be manually migrated. The hash algorithm for certificate names has changed from MD5 to SHA-1, requiring users to rename certificate files (e.g., 438F16D6.0 to 37d8de08.0) to avoid validation failures.
4. Installation & Post-Installation:
   • Installation is done via $ PRODUCT INSTALL SSL111.
   • Post-installation tasks include adding SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM to system startup/shutdown scripts, ensuring SSL111$STARTUP.COM runs last to correctly define the OPENSSL logical name.
   • Any custom changes made to older SSL startup/shutdown scripts or OpenSSL configuration files (OPENSSL.CNF, OPENSSL-VMS.CNF) must be manually replicated for SSL111.
   • The product must be installed on the system disk; other locations are not supported.
5. Application Development: Provides 64-bit and 32-bit APIs and libraries for building applications, with examples for compilation and linking.
6. Limitations & Notes:
   • Addresses C++ compiler issues with automatically included header pragmas and linker issues with long symbol names.
   • Certain OpenSSL ciphers (IDEA, RC5, MDC2) and RAND APIs (RANDegd, RANDegd_bytes) are not supported due to copyright or OpenVMS specifics.
   • The Certificate Tool should only be used by one user/process at a time as it lacks a locking mechanism.
   • Emphasizes protecting certificates and keys.
   • OpenSSL documentation from openssl.org is primarily UNIX-style; differences for OpenVMS (file/directory format) are noted.