[Info-vax] OpenSSL CSWS-2.2-1

[Stephen Hoffman]

On 2019-03-14 16:36:33 +0000, Neil Rieck said:

> Everyone reading this already knows that HP (now HPE) used to provide 
> free updates for CSWS (a.k.a. Apache for OpenVMS) modules including 
> SSL, Java, PHP, etc. All of those web pages have been redirected to the 
> common OpenVMS landing page so I guess we can assume that those days 
> are over.
> 
> However, life goes on and I just learned that all major browsers are 
> going to disable TLS-1.0 and TLS-1.1 sometime in 2020.

Upgrade to VSI OpenVMS.

For not the first time this has been mentioned, HPE is exiting the 
OpenVMS new-patch business at the end of 2020.

Or port at least the web front-end to a different platform with a more 
current web server.

With TLSv1.3 now available, all TLS prior to TLSv1.2 is headed for scrap.

I'm already routinely encountering minimal SSL connections requirements 
for TLSv1.2 for connections, and the deprecation of all earlier SSL/TLS 
connections.

As for the SSL and SSL1 kits, the foundation of SSL1 is OpenSSL 1.0.2 
(LTS) and that is end-of-life at the end of this year.  AFAIK, neither 
HPE nor VSI offer the current 1.1.1 release as yet.
https://www.openssl.org/policies/releasestrat.html

While discussing certs and security with HPE, check whether the secure 
delivery certificates have been updated, too.  (I don't have a 
currently-patched HPE OpenVMS V8.4 server handy to check.)  The 
longstanding (current?) HPE public cert will expire at the end of 2028, 
which means that PCSI PRODUCT INSTALL and VMSINSTAL will start to fail 
then absent various workarounds, which means y'all have until the end 
of 2020 when new-patches support ends to get HPE to re-issue the root 
public cert.  HPE and VSI both updated to higher-level security, but I 
don't recall HPE having re-issued the secure delivery root public cert 
with an extended date.

-- 
Pure Personal Opinion | HoffmanLabs LLC