[Info-vax] VMS Integrity, SSL1 and SSL V1.4 coexistence

Tue Jul 16 11:47:07 EDT 2019

On Monday, July 15, 2019 at 9:52:08 PM UTC-5, Stephen Hoffman wrote:
> On 2019-07-16 00:05:47 +0000, Rich Jordan said:
> 
> > So is this just a documentation mess, and SSL1 really is a requirement?
> 
> You've answered that yourself, but you can get the official answer 
> directly from HPE.  A call which will be answered by folks working at 
> VSI given that's where HPE front-line support is reportedly provided 
> now, BTW.
> 
> I'm among the instigators of this, as I'd requested that the older and 
> the newer SSL kits  be able to coexist.  This so that we didn't have to 
> go through another upgrade-everything-at-once, akin to the SSL V1.3 to 
> SSL V1.4 adventure.
> 
> Here?  Install both the most recent SSL kit and the most recent SSL1 
> kit available to you, and whichever kit you want to be the default 
> should be started second.  I'd start up SSL1 second and use that, 
> unless you have a good reason not to.
> 
> There's little overlap here and apps can request the specific kit of 
> interest using either SSL$mumble or SSL1$mumble, though there's one 
> logical name—OPENSSL—that collides.
> 
> The folks at VSI have only just started to drain the swamp here.  
> OpenVMS V8.4-2L1 and V8.4-2L2 contain "the VSI way" of implementing 
> TLS; the first few whacks toward better addressing this morass.
> 
> 
> 
> 
> The most recent SSL1 kits are based on OpenSSL 1.0.2r, when last I 
> checked.  OpenSSL 1.0.2s is current.
> SSL111 is available with TLSv1.3 support, and is based on OpenSSL 
> 1.1.1b.  OpenSSL 1.1.1c is current.
> 
> 
> HPE tended to trail on OpenSSL-related kits and availability.
> HPE ceases new-patches support in less than 18 months.
> 
> 
> 
> Related previous discussions:
> https://groups.google.com/d/msg/comp.os.vms/x_VmkaAYEHw/uzw2u6FEBgAJ
> https://groups.google.com/d/msg/comp.os.vms/cdxwsxa9wwE/VAgtGo33BgAJ
> 
> OpenSSL configuration generator and server-side TLS settings:
> https://ssl-config.mozilla.org
> https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> Apropos of little else here, OpenSSH and not SSL:
> https://infosec.mozilla.org/guidelines/openssh
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

SSL1 1.02o is the most recent kit I can find on the HPE site, while in the customer support account, anywhere (found in patch management).

So installing that prior to Update 14 on the test box; we'll see how it goes.

I don't see any SSL 1.4 ECOs, or versions newer than 1.4, until you get to VSI versions which per the spreadsheet are for V8.4-1H1, though since that is 'HPE's official position', it might work on V8.4 but they won't tell you.  I'll recheck patch management to see what release notes might say.

Even in the relatively late 1.02o release kit, the weblinks inside for docs and overall SSL1 info are hijacked and crash into that damnable OpenVMS Systems Documentation Index Page PDF.  The links are not all for documentation, but HPe just doesn't care.

Thank you for re-iterating the coexistence bits.  We're going to try it with SSL V1.4 being the default at first, unless that causes management issues.

Thanks for replying

Rich