[Info-vax] New OpenSSL update from HP

Sun Jun 14 14:15:17 EDT 2015

Jan-Erik Soderholm wrote:
> Stephen Hoffman skrev den 2015-06-14 14:45:
>> On 2015-06-14 11:23:54 +0000, Jan-Erik Soderholm said:
>>
>> Not sure about the old posting that were included here.
>>
>>> Steven Schweda skrev den 2014-11-25 06:13:
>>>>> Have you checked if they fixed the transfer vectors to have exact case
>>>>> symbols with upper case aliases?
>>
>> As has undoubtedly been discussed before, I'd doubt that HP will do that
>> with their HP SSL kit and the 0.9.8 series.
>>
>> There is now a tool which allows exact-case applications to be linked and
>> to then utilize the HP-supplied uppercase shareable images: Shimmer.
>> <http://labs.hoffmanlabs.com/node/1906>
>>
>>>> I understand that an HP-supplied OpenSSL kit may be preferred over a
>>>> home-built OpenSSL kit, but I'd be (at least vaguely) interested in
>>>> whether one of the current OpenSSL version 1.0.x kits (from
>>>> openssl.org)
>>>> provides the feature(s) you seek.  (Even the current 0.9.8xx kit might
>>>> do, if you don't want 64-bit pointers.)
>>
>> Current TLS is a common requirement.   All versions of SSL are broken;
>> SSLv1, SSLv2 and SSLv3.   Which means using TLS.   The TLSv1.0
>> provided by
>> OpenSSL 0.9.8 series and thus by HP SSL is itself older and is looking
>> rather weaker in general.   Some folks want or need the most current
>> negotiation frameworks and ciphers that are available, too. That's
>> TLSv1.2.
>
> That is also in line with the WASD documentation:
>
>  > As WASD uses the OpenSSL package in one distribution or another
>  > it largely supports all of the capability of that underlying package.
>  > The obsolete SSLv2, and the deprecated SSLv3 are no longer accepted by
>  > default. WASD default comprise the TLS family of protocols, at the
>  > time of writing, TLSv1, TLSv1.1 and TLSv1.2.
>
>
>>
>> With the HP SSL kit, there aren't all that many choices where you can get
>> what the Mozilla folks consider "intermediate" security
>> <https://wiki.mozilla.org/Security/Server_Side_TLS> using HP SSL, and you
>> can't get "modern" security with the HP SSL kit.
>>
>>>> Disclaimer: From time to time I poke around with OpenSSL on VMS, but I
>>>> typically don't keep up with the latest release(s), and I don't do much
>>>> with it in any case, so, although curious, I know nothing.
>>>>
>>>> From time to time I also tell myself that I should look at an HP source
>>>> kit to see how they do things, but that hasn't happened, either.
>>
>> I've not seen the sources for the HP 0.9.8-series kits.  AFAIK, releasing
>> that source code is not required, either.
>>
>>> I don't know much about OpenSSL/SSL, just noted a message from Mark
>>> Daniel today on the WASD mail list. The latest OpenSSL (1.0.2c, released
>>> 12-Jun-2015) https://www.openssl.org/ is now available as a kit for VMS
>>> (two days later!) https://wasd.vsm.com.au/wasd/
>>
>> This OpenSSL release was shipped 12-Jun-2015, and has fixes for an ABI
>> incompatibility that was introduced in OpenSSL 1.0.2b 11-Jun-2015.
>>
>> The most current 0.9.8 series OpenSSL 0.9.8zg was released
>> 11-Jun-2015, and
>> I'd expect a new HP SSL kit later this month or more probably in early
>> July; the HP 0.9.8 ports seem to take about a month lately.
>>
>>> It says "specifically to support WASD", and I have no idea about how
>>> general this build is...
>>
>> The WASD SSL bits are built and organized for use by WASD.  The WASD bits
>> are also based on much newer OpenSSL bits than the HP SSL bits.
>>
>>> http://wasd.vsm.com.au/wasd_root/doc/features/features_0400.html
>>>
>>> WASD can at least use either the HP supplied 0.9.8.something, the 1.0.2c
>>> supplied by Mark or some localy supplied OpenSSL kit.
>>
>> Most of the providers are able to turn around the new OpenSSL releases
>> pretty quickly, for those providers that are still using OpenSSL and not
>> LibreSSL <http://www.libressl.org> or some other variant or fork or
>> implementation.
>>
>> n.b. The OpenSSL folks define what the OpenVMS interface looks like, too;
>> the order of the shareable image symbols.  They're one of the few (if not
>> the only) multi-platform portable open source projects that do that, too.
>>
>> n.b. The LibreSSL folks maintain a portable variant, in addition to the
>> core version that uses the security features of OpenBSD.
>>
>> n.b. The 0.9.8 series and the 1.0.0 series both go unsupported at the end
>> of this year; at the end of 2015.

I suppose this shows the problem with open source software. In my view 
there should be one single stable production version of OpenSSL, and 
that version should be ported to VMS. There shouldn't be a HP version 
and a WASD version for instance. Perhaps in future VSI will do a better 
job in supplying us with the most recent version.