VSI-I64VMS-SSL111-V0101-1GB-1-RELNOTES.PDF

This document is an installation guide and release notes for VSI SSL111 Version 1.1-1G for OpenVMS, released April 2020. It targets OpenVMS Integrity servers and is based on Open Source OpenSSL version 1.1.1g.

Key Points:

• Prerequisites: Requires OpenVMS Integrity server Version 8.4-1H1 or later, and approximately 200,000 disk blocks for installation.
• Coexistence & Migration: VSI SSL111 is designed to coexist with older VSI SSL versions (V1.4, SSL1) on the same system. It achieves this by using distinct SSL111$ prefixes for all logical names, directory structures, command procedures, and library names.
• Backward Compatibility: VSI SSL111 APIs are not backward compatible. Existing applications built with previous VSI SSL versions must be recompiled and relinked against the new VSI SSL111 header files and libraries.
• Certificate Store Migration (Critical): The certificate hash algorithm has changed from MD5 to SHA-1. Therefore, existing certificate files (hash.0) in older certificate stores will need to be manually renamed or recreated using the new SHA-1 hash for VSI SSL111 to validate them.
• Installation: Performed using the PRODUCT INSTALL SSL111 command. It must be installed on the system disk. For clustered environments, VSI SSL111 must be shut down on all nodes before installation.

• Post-Installation Tasks:

  • Update system startup (SYS$MANAGER:SYSTARTUP_VMS.COM) and shutdown (SYS$MANAGER:SYSHUTDWN.COM) procedures to include SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM. SSL111$STARTUP.COM should be invoked last to ensure the common OPENSSL logical name points to the latest VSI SSL111 header files.
  • Migrate any custom changes from older OpenSSL configuration files (e.g., OPENSSL.CNF) and command procedures to their SSL111$ equivalents.
  • An Installation Verification Procedure (IVP) and a Certificate Tool are available.

• Application Building: VSI SSL111 provides separate 64-bit and 32-bit APIs and shared libraries. Applications can be compiled for 64-bit using the /POINTER_SIZE=64 qualifier.

• Limitations: IDEA, RC5, and MDC2 symmetric cipher algorithms are not supported due to copyright restrictions. RAND_egd APIs are also unsupported; RAND_poll() is provided for secure random seeding. The Certificate Tool is single-user only.
• Documentation: OpenSSL documentation on the OpenSSL website should be considered the primary source, noting differences in file and directory path formats between UNIX and OpenVMS.