VSI-I64VMS-SSL111-V0101-1GA-1-RNOTES.PDF

Order Number: XX-749BF-6D

This document is an Installation Guide and Release Notes for VSI SSL111 Version 1.1-1G for OpenVMS, released in April 2020. It details the installation, prerequisites, post-installation tasks, and release notes for this product, which is based on OpenSSL version 1.1.1g. It is specifically for OpenVMS Integrity servers.

Key points from the document:

  1. Purpose & Basis: VSI SSL111 V1.1-1G provides SSL/TLS functionality based on the OpenSSL 1.1.1g stream.
  2. Prerequisites:
    • Hardware: Approximately 200,000 disk blocks for installation, 170,000 blocks installed.
    • Software: OpenVMS Integrity server Version 8.4-1H1 or later.
    • No specific account quotas or system parameters are required.
  3. Coexistence and Migration (Critical Section):
    • Product Naming: The product name changed to SSL111 to allow VSI SSL V1.4 (OpenSSL 0.9.8) and VSI SSL1 (OpenSSL 1.0.2) to coexist on the same system.
    • Backward Compatibility: VSI SSL111 V1.1 is not backward compatible with older VSI SSL versions due to changes in OpenSSL APIs and data structures.
    • Application Migration: Applications dependent on previous VSI SSL versions must be recompiled and relinked against the new SSL111 V1.1 header files and shareable images.
    • Logical Names & Directories:
      • New logical names, directory structures, command procedures, and library names are prefixed with SSL111$.
      • The common OPENSSL logical name will point to the version started last.
      • Users must modify any custom command procedures or scripts that reference old SSL$ or SSL1$ logical names or directories to use the new SSL111$ equivalents.
    • Certificate Store Migration: This is a crucial manual step. The hash algorithm for certificate files has changed from MD5 (V1.4/SSL1) to SHA-1 (SSL111). Existing certificates in older stores must be copied to the new SSL111 directory structure and their filenames updated to reflect the new SHA-1 hash.
  4. Installation Process:
    • Use the PRODUCT INSTALL SSL111 command.
    • It must be installed on the system disk.
    • For cluster installations, SSL111 must be shut down on each node before installation and started on each node after.
    • Post-Installation Tasks: Add SSL111$STARTUP.COM to SYS$MANAGER:SYSTARTUP_VMS.COM (ensuring it runs after any older SSL startup scripts to correctly set OPENSSL logical) and SSL111$SHUTDOWN.COM to SYS$MANAGER:SYSHUTDWN.COM.
    • Users are advised to copy any manual changes from old SSL$ or SSL1$ configuration files (.CNF) to the new SSL111$ ones.
    • An Installation Verification Procedure (IVP) and a Certificate Tool are available.
  5. Building Applications:
    • VSI SSL111 provides separate 64-bit and 32-bit APIs (e.g., LIBSSL_SHR.EXE vs. LIBSSL_SHR32.EXE).
    • When compiling with VSI C for 64-bit APIs, use /POINTER_SIZE=64.
  6. Release Notes:
    • TLS1ALLOWEXPERIMENTAL_CIPHERSUITES are enabled.
    • Legal Caution: Users must ensure compliance with national and international laws regarding cryptographic algorithms.
    • Unsupported Features: IDEA, RC5, and MDC2 symmetric cipher algorithms are not provided due to copyright. RAND_egd, RAND_egd_bytes, and RAND_query_egd_bytes APIs are not available; use RAND_poll() for secure random seeds.
    • OpenSSL website documentation might differ from the kit's and takes precedence.
    • The Certificate Tool does not have locking and should be used by only one user/process at a time.
    • Recommendations for protecting certificates and private keys using OpenVMS file protections or ACLs.
XX-749BF-6D
April 2000
12 pages
Quality
Original
0.1MB
view download

Site structure and layout ©2025 Majenko Technologies