VSI-I64VMS-SSL111-V0101-1K-1-RNOTES.PDF

This document is the Install Guide and Release Notes for VSI SSL111 Version 1.1-1K for OpenVMS, released in March 2021. It is based on OpenSSL version 1.1.1k and is designed for OpenVMS Integrity servers.

Key aspects covered include:

1. Prerequisites: Requires OpenVMS Integrity server V8.4-1H1 or later, and approximately 200,000 disk blocks for installation (170,000 installed). No specific account quotas or system parameters are needed.

2. Coexistence and Migration (Crucial):

   • VSI SSL111 V1.1 is designed to coexist with older VSI SSL versions (V1.4 and SSL1) on the same system. This is achieved by using distinct logical names (prefixed SSL111$), directory structures (SYS$SYSDEVICE:[VMS$COMMON.SSL111]), command procedures, and shareable library names.
   • Backward Compatibility: VSI SSL111 V1.1 is not backward compatible with VSI SSL V1.4 or SSL1 due to changes in OpenSSL APIs, data structures, and commands.
   • Application Migration: All applications dependent on older VSI SSL versions must be recompiled and relinked against the new SSL111 V1.1 header files and libraries.
   • Certificate Store Migration: Manual migration of certificate stores is required. The hash algorithm for certificate files has changed from MD5 to SHA-1, meaning existing certificate files (hash.0) in the old store must be manually renamed to use the new SHA-1 hash when moved to the SSL111 directory structure.
   • Custom Scripts: Custom command procedures and configuration files referencing old logical names, directories, or commands need to be updated to use the SSL111$ prefixed versions. The SSL111$STARTUP.COM procedure should be invoked after older SSL startup scripts to ensure the OPENSSL logical name points to the latest version.

3. Installation & Post-Installation:

   • Installation is performed using the PRODUCT INSTALL SSL111 command.
   • Post-installation tasks involve adding SSL111$STARTUP.COM and SSL111$SHUTDOWN.COM to system startup/shutdown procedures, defining foreign commands (@SSL111$COM:SSL111$UTILS), and performing the detailed migration steps for applications and certificates.
   • An Installation Verification Procedure (IVP) and a Certificate Tool are available for optional use.

4. Building Applications: VSI SSL111 supports both 64-bit and 32-bit APIs, using different shareable image files (SSL111$LIBSSL_SHR.EXE for 64-bit, SSL111$LIBSSL_SHR32.EXE for 32-bit). Specific compiler (/POINTER_SIZE=64) and linker options are provided.

5. Release Notes & Important Considerations:

   • Certain symmetric ciphers (IDEA, RC5, MDC2) and specific RAND APIs (RAND_egd, etc.) are not supported. Users should use RAND_poll() for secure random seeds.
   • OpenSSL documentation is UNIX-centric; users should be aware of differences in file and directory formats on OpenVMS.
   • Configuration files (e.g., OPENSSL.CNF) are provided with _TEMPLATE suffixes; users should back up any customizations before uninstalling, as a reinstallation will use the new templates.
   • Installation on a common system disk in a cluster requires SSL111$SHUTDOWN to be run on all nodes first.
   • Vulnerabilities information is available on the OpenSSL website.