[Info-vax] VMS Integrity, SSL1 and SSL V1.4 coexistence

Rich Jordan jordan at ccs4vms.com
Tue Jul 16 16:18:27 EDT 2019 

On Tuesday, July 16, 2019 at 1:06:53 PM UTC-5, Rich Jordan wrote:
> On Monday, July 15, 2019 at 9:52:08 PM UTC-5, Stephen Hoffman wrote:
> > On 2019-07-16 00:05:47 +0000, Rich Jordan said:
> > 
> > > So is this just a documentation mess, and SSL1 really is a requirement?
> > 
> > You've answered that yourself, but you can get the official answer 
> > directly from HPE.  A call which will be answered by folks working at 
> > VSI given that's where HPE front-line support is reportedly provided 
> > now, BTW.
> > 
> > I'm among the instigators of this, as I'd requested that the older and 
> > the newer SSL kits  be able to coexist.  This so that we didn't have to 
> > go through another upgrade-everything-at-once, akin to the SSL V1.3 to 
> > SSL V1.4 adventure.
> > 
> > Here?  Install both the most recent SSL kit and the most recent SSL1 
> > kit available to you, and whichever kit you want to be the default 
> > should be started second.  I'd start up SSL1 second and use that, 
> > unless you have a good reason not to.
> > 
> > There's little overlap here and apps can request the specific kit of 
> > interest using either SSL$mumble or SSL1$mumble, though there's one 
> > logical name—OPENSSL—that collides.
> > 
> > The folks at VSI have only just started to drain the swamp here.  
> > OpenVMS V8.4-2L1 and V8.4-2L2 contain "the VSI way" of implementing 
> > TLS; the first few whacks toward better addressing this morass.
> > 
> > 
> > 
> > 
> > The most recent SSL1 kits are based on OpenSSL 1.0.2r, when last I 
> > checked.  OpenSSL 1.0.2s is current.
> > SSL111 is available with TLSv1.3 support, and is based on OpenSSL 
> > 1.1.1b.  OpenSSL 1.1.1c is current.
> > 
> > 
> > HPE tended to trail on OpenSSL-related kits and availability.
> > HPE ceases new-patches support in less than 18 months.
> > 
> > 
> > 
> > Related previous discussions:
> > https://groups.google.com/d/msg/comp.os.vms/x_VmkaAYEHw/uzw2u6FEBgAJ
> > https://groups.google.com/d/msg/comp.os.vms/cdxwsxa9wwE/VAgtGo33BgAJ
> > 
> > OpenSSL configuration generator and server-side TLS settings:
> > https://ssl-config.mozilla.org
> > https://wiki.mozilla.org/Security/Server_Side_TLS
> > 
> > Apropos of little else here, OpenSSH and not SSL:
> > https://infosec.mozilla.org/guidelines/openssh
> > 
> > 
> > -- 
> > Pure Personal Opinion | HoffmanLabs LLC
> 
> Case opened with HPE

Per HPE there is no documented recommended installation order.  And as long as we download the ECO kits direct from HPE, don't worry about validation.

There is a newer STunnel kit, it still calls out as V4.2 but the release notes indicate support for SSL1 but not for SSL V1.4.  I imagine its the one that was on their website until HPE rolled up the doormat and locked the door on VMS info.

There are newer kits than SSL1 V1.0-2o but they are for VSI versions only.  

Just FYIs

More information about the Info-vax mailing list