[Info-vax] OpenSSL CSWS-2.2-1

[Neil Rieck]

On Saturday, April 6, 2019 at 1:24:05 PM UTC-4, Stephen Hoffman wrote:
> On 2019-04-06 12:32:57 +0000, Neil Rieck said:
> 
> > Strictly as an emergency backup plan, I've been working on trial to 
> > replace CSWS-2.2-1 with WASD-11.
> 
> The current OpenVMS CSWS version is based on Apache HTTP Server V2.4-38.
> 
> Apache HTTP Server 2.4-39 is current.
> 
> List of security issues identified in the 2.4 series, including in 2.4-38:
> https://httpd.apache.org/security/vulnerabilities_24.html
> 
> Building a new version of Apache on OpenVMS is somewhat of a project, 
> though it's possible.
> 
> Updating OpenSSL TLS would usually be a smaller project within an 
> existing Apache port, so long as the software versions involved aren't 
> too skewed.
> 
> Per Apache, "Apache HTTP Server version 2.4.39 or newer is required in 
> order to operate a TLS 1.3 web server with OpenSSL 1.1.1."
> 
> Also per Apache, "Please note the 2.2.x branch has now passed the end 
> of life at the Apache HTTP Server project and no further activity will 
> occur including security patches."
> 
> "Y2K20"?  Obfuscare, err, obfuscate much?  Why not MMXX?  🤪
> 
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

The current version of CSWS for OpenVMS from HPE is based upon Apache 2.0.63

The current version of CSWS for OpenVMS from VSI is based upon Apache 2.4.12 according to this link.

We attempted to move support from HPE to VSI last year but our management would not approve the purchase of software relicensing by VSI. If they had then I would not find myself in this dilemma; which is why I'm experimenting with WASD.

p.s. managers are always moving around. There is a high likelihood that when dung-hits-the-fan next year, they'll be gone and I'll be blamed for not having a workaround waiting in the wings. A career limiting situation indeed.

Neil Rieck
Waterloo, Ontario, Canada.
http://neilrieck.net