[Info-vax] New OpenSSL update from HP

[Stephen Hoffman]

On 2015-06-14 11:23:54 +0000, Jan-Erik Soderholm said:

Not sure about the old posting that were included here.

> Steven Schweda skrev den 2014-11-25 06:13:
>>> Have you checked if they fixed the transfer vectors to have exact case 
>>> symbols with upper case aliases?

As has undoubtedly been discussed before, I'd doubt that HP will do 
that with their HP SSL kit and the 0.9.8 series.

There is now a tool which allows exact-case applications to be linked 
and to then utilize the HP-supplied uppercase shareable images: 
Shimmer.  <http://labs.hoffmanlabs.com/node/1906>

>> I understand that an HP-supplied OpenSSL kit may be preferred over a 
>> home-built OpenSSL kit, but I'd be (at least vaguely) interested in 
>> whether one of the current OpenSSL version 1.0.x kits (from 
>> openssl.org) provides the feature(s) you seek.  (Even the current 
>> 0.9.8xx kit might do, if you don't want 64-bit pointers.)

Current TLS is a common requirement.   All versions of SSL are broken; 
SSLv1, SSLv2 and SSLv3.   Which means using TLS.   The TLSv1.0 provided 
by OpenSSL 0.9.8 series and thus by HP SSL is itself older and is 
looking rather weaker in general.   Some folks want or need the most 
current negotiation frameworks and ciphers that are available, too.  
That's TLSv1.2.

With the HP SSL kit, there aren't all that many choices where you can 
get what the Mozilla folks consider "intermediate" security 
<https://wiki.mozilla.org/Security/Server_Side_TLS> using HP SSL, and 
you can't get "modern" security with the HP SSL kit.

>> Disclaimer: From time to time I poke around with OpenSSL on VMS, but I 
>> typically don't keep up with the latest release(s), and I don't do much 
>> with it in any case, so, although curious, I know nothing.
>> 
>> From time to time I also tell myself that I should look at an HP source 
>> kit to see how they do things, but that hasn't happened, either.

I've not seen the sources for the HP 0.9.8-series kits.  AFAIK, 
releasing that source code is not required, either.

> I don't know much about OpenSSL/SSL, just noted a message from Mark 
> Daniel today on the WASD mail list. The latest OpenSSL (1.0.2c, 
> released 12-Jun-2015) https://www.openssl.org/ is now available as a 
> kit for VMS (two days later!) https://wasd.vsm.com.au/wasd/

This OpenSSL release was shipped 12-Jun-2015, and has fixes for an ABI 
incompatibility that was introduced in OpenSSL 1.0.2b 11-Jun-2015.

The most current 0.9.8 series OpenSSL 0.9.8zg was released 11-Jun-2015, 
and I'd expect a new HP SSL kit later this month or more probably in 
early July; the HP 0.9.8 ports seem to take about a month lately.

> It says "specifically to support WASD", and I have no idea about how 
> general this build is...

The WASD SSL bits are built and organized for use by WASD.  The WASD 
bits are also based on much newer OpenSSL bits than the HP SSL bits.

> http://wasd.vsm.com.au/wasd_root/doc/features/features_0400.html
> 
> WASD can at least use either the HP supplied 0.9.8.something, the 
> 1.0.2c supplied by Mark or some localy supplied OpenSSL kit.

Most of the providers are able to turn around the new OpenSSL releases 
pretty quickly, for those providers that are still using OpenSSL and 
not LibreSSL <http://www.libressl.org> or some other variant or fork or 
implementation.

n.b. The OpenSSL folks define what the OpenVMS interface looks like, 
too; the order of the shareable image symbols.  They're one of the few 
(if not the only) multi-platform portable open source projects that do 
that, too.

n.b. The LibreSSL folks maintain a portable variant, in addition to the 
core version that uses the security features of OpenBSD.

n.b. The 0.9.8 series and the 1.0.0 series both go unsupported at the 
end of this year; at the end of 2015.


-- 
Pure Personal Opinion | HoffmanLabs LLC