[Info-vax] Anyone out there running OpenVMS-7.3-2 ???

Neil Rieck n.rieck at sympatico.ca
Mon Mar 12 21:35:21 EDT 2012 

On Monday, March 5, 2012 6:28:55 PM UTC-5, David Froble wrote:
> Neil Rieck wrote:
> > On Sunday, March 4, 2012 12:30:26 PM UTC-5, David Froble wrote:
> >> Neil Rieck wrote:
> >>> Anyone out there running OpenVMS-7.3-2 ???
> >>>
> >>> If so I need you to do me a favor. Try these commands:
> >>>
> >>> $ set def ssl$com
> >>> $ @SSL$UTILS.COM
> >>> $ openssl version
> >>> $ openssl s_client -connect www.google.com:443
> >>>    [...lots of certificate and crypto verbage...]
> >>> GET / HTTP/1.0<enter><enter>
> >>>
> >>> after the second <enter> you should see a web response similar to
> >>> this:
> >>> HTTP/1.1 200 OK
> >>> Date: Sun, 19 Feb 2012 21:07:05 GMT
> >>> Server:
> >>> [... lots of HTTP/HTML verbage...]
> >>>
> >>> p.s. If you are behind a firewall, just connect to any old webserver
> >>> that may be near by
> >>>
> >>> Neil Rieck
> >>> Kitchener / Waterloo / Cambridge,
> >>> Ontario, Canada.
> >>> http://www3.sympatico.ca/n.rieck/
> >>>
> >>>
> >>>
> >> I guess my question is, what are you trying to accomplish ?  Usually much easier to answer 
> >> than just general questions with no apparent purpose.
> >>
> >> VMS 7.3-2 is sort of old, but so is the SSL port to VMS, so perhaps not an issue.
> >>
> >> Having recently spent significant trying to get some socket communications using SSL to 
> >> work, I've found that certificates (which I had little prior experience with) can be 
> >> interesting to set up.  Not saying that is your problem.
> > 
> > All our Alphas are running OpenVMS-8.4
> > 
> > I have discovered bugs in the "s_client" command in HP-OpenSSL-1.3 and higher (these bugs are not seen in Windows, Solaris, or MAC-OS-X which come from the same code base). At the time of my original post, I didn't know if the problem was due to me running on OpenVMS-8.4 or something else. Some hobbyists allow telnet access so I logged onto a bunch of OpenVMS-7.x sites and found that the problem was not due to the OS level. Since then I built a 7.3-2 system on an old junked Alpha from the back room and have been looking for older versions of OpenSSL to do regression testing. By determining where the code broke, it would be easier to compare source code releases (even though there were 12 releases of OpenSSL between HP-OpenSSL-1.1B and HP-OpenSSL-1.3-281)
> > 
> > http://www3.sympatico.ca/n.rieck/docs/openvms_notes_ssl.html#cli-1
> > 
> > I've inspected the source code between 1.1B and 1.3-281 and it appears that there are no significant changes in the VMS variants. At this point I am assuming the problem has more to do with how the apps are built (compiler switches, etc.) on VMS so I referred the problem to HP by placing an official software support request on Feb-28.
> > 
> > Neil Rieck
> > Kitchener / Waterloo / Cambridge,
> > Ontario, Canada.
> > http://www3.sympatico.ca/n.rieck/
> 
> Well, yeah, the particular capability appears to be broken, but I was asking why you 
> needed it?  Perhaps there is another way to perform your task?  Or you have no task, and 
> just wanted to point out the problem?

Sorry for the late response to your question. At the time, I didn't know if the current OpenSSL products from HP were only broken on OpenVMS-8.x (due to a library problem) or broken on all platforms so I wanted to do some regression testing from a working platform.

Since then, I dusted off some old optical media, grabbed an old Alpha from our junk pile then used it to build and OpenVMS-7.3-2 system where I could rebuild OpenSSL binaries from HP sources. (I was even able to locate Alpha sources for CPQ-OpenSSL-1.1A which are missing from the HP site). It turns out that there was a problem in the code for file "s_client.c" which affected everything after 1.2 (so affected version 1.3 and higher).

I've posted the solution here:
http://www3.sympatico.ca/n.rieck/docs/openvms_notes_ssl.html#s_client-fix

Today I also notified the good folks in OpenVMS support at HP as well as www.OpenSSL.org

Many thanks to all the people who sent me old binaries. In this instance I felt more like an archeologist than a programmer (although Indiana Jones would not have been able to decipher to offending "conditional compile" statement) 

Neil Rieck
Kitchener / Waterloo / Cambridge,
Ontario, Canada.
http://www3.sympatico.ca/n.rieck/

More information about the Info-vax mailing list