[Info-vax] New OpenSSL update from HP

Jan-Erik Soderholm jan-erik.soderholm at telia.com
Sun Jun 14 09:23:32 EDT 2015 

Stephen Hoffman skrev den 2015-06-14 14:45:
> On 2015-06-14 11:23:54 +0000, Jan-Erik Soderholm said:
>
> Not sure about the old posting that were included here.
>
>> Steven Schweda skrev den 2014-11-25 06:13:
>>>> Have you checked if they fixed the transfer vectors to have exact case
>>>> symbols with upper case aliases?
>
> As has undoubtedly been discussed before, I'd doubt that HP will do that
> with their HP SSL kit and the 0.9.8 series.
>
> There is now a tool which allows exact-case applications to be linked and
> to then utilize the HP-supplied uppercase shareable images: Shimmer.
> <http://labs.hoffmanlabs.com/node/1906>
>
>>> I understand that an HP-supplied OpenSSL kit may be preferred over a
>>> home-built OpenSSL kit, but I'd be (at least vaguely) interested in
>>> whether one of the current OpenSSL version 1.0.x kits (from openssl.org)
>>> provides the feature(s) you seek.  (Even the current 0.9.8xx kit might
>>> do, if you don't want 64-bit pointers.)
>
> Current TLS is a common requirement.   All versions of SSL are broken;
> SSLv1, SSLv2 and SSLv3.   Which means using TLS.   The TLSv1.0 provided by
> OpenSSL 0.9.8 series and thus by HP SSL is itself older and is looking
> rather weaker in general.   Some folks want or need the most current
> negotiation frameworks and ciphers that are available, too. That's TLSv1.2.

That is also in line with the WASD documentation:

 > As WASD uses the OpenSSL package in one distribution or another
 > it largely supports all of the capability of that underlying package.
 > The obsolete SSLv2, and the deprecated SSLv3 are no longer accepted by
 > default. WASD default comprise the TLS family of protocols, at the
 > time of writing, TLSv1, TLSv1.1 and TLSv1.2.


>
> With the HP SSL kit, there aren't all that many choices where you can get
> what the Mozilla folks consider "intermediate" security
> <https://wiki.mozilla.org/Security/Server_Side_TLS> using HP SSL, and you
> can't get "modern" security with the HP SSL kit.
>
>>> Disclaimer: From time to time I poke around with OpenSSL on VMS, but I
>>> typically don't keep up with the latest release(s), and I don't do much
>>> with it in any case, so, although curious, I know nothing.
>>>
>>> From time to time I also tell myself that I should look at an HP source
>>> kit to see how they do things, but that hasn't happened, either.
>
> I've not seen the sources for the HP 0.9.8-series kits.  AFAIK, releasing
> that source code is not required, either.
>
>> I don't know much about OpenSSL/SSL, just noted a message from Mark
>> Daniel today on the WASD mail list. The latest OpenSSL (1.0.2c, released
>> 12-Jun-2015) https://www.openssl.org/ is now available as a kit for VMS
>> (two days later!) https://wasd.vsm.com.au/wasd/
>
> This OpenSSL release was shipped 12-Jun-2015, and has fixes for an ABI
> incompatibility that was introduced in OpenSSL 1.0.2b 11-Jun-2015.
>
> The most current 0.9.8 series OpenSSL 0.9.8zg was released 11-Jun-2015, and
> I'd expect a new HP SSL kit later this month or more probably in early
> July; the HP 0.9.8 ports seem to take about a month lately.
>
>> It says "specifically to support WASD", and I have no idea about how
>> general this build is...
>
> The WASD SSL bits are built and organized for use by WASD.  The WASD bits
> are also based on much newer OpenSSL bits than the HP SSL bits.
>
>> http://wasd.vsm.com.au/wasd_root/doc/features/features_0400.html
>>
>> WASD can at least use either the HP supplied 0.9.8.something, the 1.0.2c
>> supplied by Mark or some localy supplied OpenSSL kit.
>
> Most of the providers are able to turn around the new OpenSSL releases
> pretty quickly, for those providers that are still using OpenSSL and not
> LibreSSL <http://www.libressl.org> or some other variant or fork or
> implementation.
>
> n.b. The OpenSSL folks define what the OpenVMS interface looks like, too;
> the order of the shareable image symbols.  They're one of the few (if not
> the only) multi-platform portable open source projects that do that, too.
>
> n.b. The LibreSSL folks maintain a portable variant, in addition to the
> core version that uses the security features of OpenBSD.
>
> n.b. The 0.9.8 series and the 1.0.0 series both go unsupported at the end
> of this year; at the end of 2015.
>
>

More information about the Info-vax mailing list