VSI-I64VMS-SSL111-V0101-1IA-1-RNOTES.PDF

This document is the Installation Guide and Release Notes for VSI SSL111 Version 1.1-11 for OpenVMS, released in December 2020.

Key Information:

• Basis: The software is based on Open Source OpenSSL version 1.1.1i.
• Target System: It runs on OpenVMS Integrity servers (Version 8.4-1H1 or later).
• Disk Space: Requires approximately 200,000 blocks for installation and occupies 170,000 blocks.

• Coexistence and Compatibility (Critical Changes):

  • Product Naming: The product name has changed to "SSL111" to allow it to coexist on the same system with older versions like VSI SSL V1.4 (based on OpenSSL 0.9.8) and VSI SSL1 (based on OpenSSL 1.0.2).
  • Backward Incompatibility: VSI SSL111 V1.1 is not backward compatible with VSI SSL V1.4 or VSI SSL1 APIs. Applications dependent on older VSI SSL versions must be recompiled and relinked against the new SSL111 header files and shareable images to utilize SSL111 functions and features.
  • Certificate Store Migration (Mandatory): The certificate hash algorithm has changed from MD5 (used in VSI SSL V1.4/SSL1) to SHA-1. Existing certificate store files must be manually migrated by re-hashing and renaming them to use the new SHA-1 hash for validation to succeed with SSL111.
  • Logical Names, Directories, Commands: All VSI SSL111 V1.1 logical names, directories, and command procedures are prefixed/suffixed with SSL111$ (e.g., SSL111$ROOT, SYS$COMMON:[VMS$COMMON.SSL111]). Custom command procedures or scripts referencing older SSL$ or SSL1$ names/directories need to be updated.
  • OPENSSL Logical Name: This common logical name points to the last installed product. During migration, ensure SSL111$STARTUP.COM is invoked after any older SSL startup procedures to ensure OPENSSL points to VSI SSL111's include path.

• Installation:

  • Use the PRODUCT INSTALL SSL111 command.
  • Must be installed on the system disk; installation to other locations is no longer supported.
  • For cluster installations, VSI SSL111 must be shut down on all nodes before installation and started on all nodes post-installation.

• Post-Installation Tasks:

  • Add SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM to the system startup and shutdown procedures, ensuring correct invocation order relative to older SSL versions.
  • Replicate any manual changes from old SSL/SSL1 configuration files (OPENSSL.CNF, OPENSSL-VMS.CNF) to the new SSL111$ROOT versions. Template files are provided to assist with upgrades.
  • Run the Installation Verification Procedure (IVP) using @SYS$TEST:SSL111$IVP.COM.
  • Utilize the SSL111$CERT_TOOL for certificate management (note: it's a single-user tool).

• Application Building:

  • VSI SSL111 provides separate 64-bit and 32-bit APIs (e.g., SYS$SHARE:SSL111$LIBSSL_SHR.EXE for 64-bit, SYS$SHARE:SSL111$LIBSSL_SHR32.EXE for 32-bit). Developers choose the appropriate API when compiling.

• Unsupported Features:

  • IDEA, RC5, and MDC2 symmetric cipher algorithms are not supported due to copyright protection.
  • RAND_egd, RAND_egd_bytes, and RAND_query_egd_bytes APIs are not available; RAND_poll() should be used for secure random seeds.

• Documentation: OpenSSL documentation on the OpenSSL website (https://www.openssl.org/docs/) takes precedence over the documentation included in the kit if discrepancies arise.

• Legal Caution: Users are responsible for ensuring compliance with all national and international laws regarding cryptographic algorithms.