[Info-vax] OpenSSL CSWS-2.2-1
terry-groups at glaver.org
terry-groups at glaver.org
Sat Apr 6 18:54:13 EDT 2019
On Saturday, April 6, 2019 at 1:24:05 PM UTC-4, Stephen Hoffman wrote:
> The current OpenVMS CSWS version is based on Apache HTTP Server V2.4-38.
Is it really that up-to-date? I'd be amazed. A Google search for "OpenVMS CSWS" leads me to https://support.hpe.com/hpsc/doc/public/display?docId=a00058394en_us which says it is based on Apache 2.0.65, and took apparently nearly a year and a half (based on June 2013 release date from the Apache Foundation and an October 2014 date on the HP release notes).
This would seem to be the perfect candidate to be turned over to freeware developers. There will always be sites that insist on running only "vendor released" software, but an actual security audit that finds a site running such horribly out-of-date and known-insecure software will likely cause a re-think of that. Plus, there's no reason that a vendor couldn't receive and review updates from a freeware developer and examine them (the differences should be small if this is done for each release) and then produce a signed version if desired by their customers.
The three things I think HP got wrong (and Compaq and DEC before them) are:
1) Thinking that "port once and done" is a workable solution, and when they find out it isn't, making another "port once and done" effort. This is something that needs to continuously track the upstream branch.
2) Assigning (apparently) arbitrary version numbers instead of using the upstream version number (possibly with a suffix like "-VMS1", "-VMS2", etc. if multiple VMS releases against the same upstream version are needed (which shouldn't happen if the upstream releases are being tracked regularly).
3) Producing incompatible releases of various upstream packages that are supposed to work together. I've read many posts where people say that package A requires OpenSSL X, but package B requires OpenSSL Y which has a different API than OpenSSL X.
Back on the general topic of deprecated crypto libraries, some people may find my blog post "Is no crypto always better than bad crypto?" that I wrote over 3 years ago interesting: https://www.glaver.org/blog/?p=853
More information about the Info-vax
mailing list