[Info-vax] OpenSSL CSWS-2.2-1

[Bill Gunshannon]

On 3/14/19 12:36 PM, Neil Rieck wrote:
> Everyone reading this already knows that HP (now HPE) used to provide free updates for CSWS (a.k.a. Apache for OpenVMS) modules including SSL, Java, PHP, etc. All of those web pages have been redirected to the common OpenVMS landing page so I guess we can assume that those days are over.
> 
> However, life goes on and I just learned that all major browsers are going to disable TLS-1.0 and TLS-1.1 sometime in 2020. Here are a few links which shine more light on the announcement.
> 
> https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/
> 
> https://www.cso.com.au/article/648261/tls-1-0-1-1-will-disabled-edge-ie-chrome-firefox-safari-2020/
> 
> https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
> 
> Now 2020 seems a long way off but web developers at my employer's company are already seeing TLS-1.0 and TLS-1.1 warnings in the AJAX transport associated with "Developer Tools" in Chrome v73 so I suggest that anyone with an OpenVMS support contract at HPE contact them for support (previously they just send out a new version of file "mod_ssl.exe"). I just filed a support request with them this morning.

This is only peripherally related to VMS but it is a case of
the same effect.  In talking about long term support (something
VMS is still claimed to have) it has been mentioned that MicroSoft
has sold longer term use of EOLed OSes like XP and Vista.  Well,
being probably one of the last US users of either of these OSes
(mostly Vista!)  I have run in to  a similar problem as the one
stated above.  None of the currently popular Web Browsers are
doing any versions for XP or Vista.  What good is continued
vendor support of an OS if application support has been terminated?
Isn't this the same problem VMS users are going to start seeing
because of so much being so far behind the current standards of
the industry?

bill