[Info-vax] VMS Integrity, SSL1 and SSL V1.4 coexistence

Rich Jordan jordan at ccs4vms.com
Tue Jul 16 14:06:52 EDT 2019 

On Monday, July 15, 2019 at 9:52:08 PM UTC-5, Stephen Hoffman wrote:
> On 2019-07-16 00:05:47 +0000, Rich Jordan said:
> 
> > So is this just a documentation mess, and SSL1 really is a requirement?
> 
> You've answered that yourself, but you can get the official answer 
> directly from HPE.  A call which will be answered by folks working at 
> VSI given that's where HPE front-line support is reportedly provided 
> now, BTW.
> 
> I'm among the instigators of this, as I'd requested that the older and 
> the newer SSL kits  be able to coexist.  This so that we didn't have to 
> go through another upgrade-everything-at-once, akin to the SSL V1.3 to 
> SSL V1.4 adventure.
> 
> Here?  Install both the most recent SSL kit and the most recent SSL1 
> kit available to you, and whichever kit you want to be the default 
> should be started second.  I'd start up SSL1 second and use that, 
> unless you have a good reason not to.
> 
> There's little overlap here and apps can request the specific kit of 
> interest using either SSL$mumble or SSL1$mumble, though there's one 
> logical name—OPENSSL—that collides.
> 
> The folks at VSI have only just started to drain the swamp here.  
> OpenVMS V8.4-2L1 and V8.4-2L2 contain "the VSI way" of implementing 
> TLS; the first few whacks toward better addressing this morass.
> 
> 
> 
> 
> The most recent SSL1 kits are based on OpenSSL 1.0.2r, when last I 
> checked.  OpenSSL 1.0.2s is current.
> SSL111 is available with TLSv1.3 support, and is based on OpenSSL 
> 1.1.1b.  OpenSSL 1.1.1c is current.
> 
> 
> HPE tended to trail on OpenSSL-related kits and availability.
> HPE ceases new-patches support in less than 18 months.
> 
> 
> 
> Related previous discussions:
> https://groups.google.com/d/msg/comp.os.vms/x_VmkaAYEHw/uzw2u6FEBgAJ
> https://groups.google.com/d/msg/comp.os.vms/cdxwsxa9wwE/VAgtGo33BgAJ
> 
> OpenSSL configuration generator and server-side TLS settings:
> https://ssl-config.mozilla.org
> https://wiki.mozilla.org/Security/Server_Side_TLS
> 
> Apropos of little else here, OpenSSH and not SSL:
> https://infosec.mozilla.org/guidelines/openssh
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

Case opened with HPE

More information about the Info-vax mailing list