[Info-vax] VSI OpenSSL SSL111-V0101-1S and AXPVMS-SSL3-V0300-7
Mark Daniel
mark.daniel at wasd.vsm.com.au
Fri Dec 30 18:11:51 EST 2022
TL;DR The latest VSI OpenSSL kits should be fine for pre-V8.4 systems.
Recently OpenSSL eliminated a VMS V8.4 dependency for their build.
https://github.com/openssl/openssl/pull/18730#issue-1295104363
This has migrated into the OpenSSL 1.1.1s and 3.0.7 releases recently
built and released by VSI as
https://vmssoftware.com/products/ssl111/
https://vmssoftware.com/products/ssl3/
The show-stopping ACCVIO access to $GETTIM_PREC on pre-V8.4 systems no
longer happens if the earlier VSI kits were (experimentally) forced to
install.
This means that systems not ungraded/upgradable to V8.4 may have access
to the latest OpenSSL releases and fixes.
To prove this to myself the kits were both successfully applied, passed
IVP, and the OPENSSL application used to access eisner.decus.org, on an
OpenVMS Alpha V8.3 system (the least recent version I have access to).
YMMV with even earlier VMS versions.
> |------------------------------------ ----------- ----------- --- -----------
> |PRODUCT KIT TYPE OPERATION VAL DATE
> |------------------------------------ ----------- ----------- --- -----------
>
> |DEC AXPVMS VMS V8.3 Oper System Install (U) 10-JAN-2013
>
> |VSI AXPVMS SSL3 V3.0-7 Full LP Install (M) 30-DEC-2022
> |VSI AXPVMS SSL111 V1.1-1S Full LP Install (M) 30-DEC-2022
The only catch is (presumably) a VSI oversight in the PRODUCT INSTALL
that warns the product is only suitable for VMS V8.4, "Terminating is
strongly recommended. Do you want to terminate?". I replied "no" and
as described above the kits installed, passed IVP, finishing with a
warning, "operation completed after explicit continuation from errors".
Below are the (slightly redacted) installations of SSL111 and SSL3 along
with CLI demonstrations.
> |$ product install ssl111
> |
> |Performing product kit validation of signed kits ...
> |
> |%PCSI-W-NOVALDONE, cannot validate ***:[***]VSI-AXPVMS-SSL111-V0101-1S-1.PCSI$COMPRESSED;1
> |-PCSI-W-NOMANFILE, associated manifest file was not found in source directory
> |Do you want to continue? [NO] y
> |
> |The following product has been selected:
> | VSI AXPVMS SSL111 V1.1-1S Layered Product
> |
> |Do you want to continue? [YES]
> |
> |Configuration phase starting ...
> |
> |You will be asked to choose options, if any, for each selected product and for
> |any products that may be installed to satisfy software dependency requirements.
> |
> |Configuring VSI AXPVMS SSL111 V1.1-1S: SSL111 for OpenVMS AXP V1.1-1S (Based on OpenSSL 1.1.1S)
> |
> | Copyright 2022 VMS Software, Inc.
> |
> |Do you want the defaults for all options? [YES]
> |
> |Do you want to review the options? [NO]
> |
> |Execution phase starting ...
> |
> |The following product will be installed to destination:
> | VSI AXPVMS SSL111 V1.1-1S DISK$*****_SYS:[VMS$COMMON.]
> |
> |Minimum OpenVMS ALPHA software not found on system, abort installation
> |
> |This kit requires a minimum OpenVMS ALPHA version of V8.4-2L1.
> |
> |Terminating is strongly recommended. Do you want to terminate? [YES] no
> |
> |Portion done: 0%...10%...30%...50%...60%...70%...80%...90%...100%
> |
> |The following product has been installed:
> | VSI AXPVMS SSL111 V1.1-1S Layered Product
> |
> |%PCSI-I-IVPEXECUTE, executing test procedure for VSI AXPVMS SSL111 V1.1-1S ...
> |%PCSI-I-IVPSUCCESS, test procedure completed successfully
> |
> |VSI AXPVMS SSL111 V1.1-1S: SSL111 for OpenVMS AXP V1.1-1S (Based on OpenSSL 1.1.1S)
> |
> | Review the Installation Guide and Release Notes for post install directions.
> |
> | Review the Installation Guide and Release Notes for post upgrade verification suggestions.
> |
> | Refer to SYS$HELP:SSL111-S-AXP.RELEASE_NOTES for more information.
> |%PCSIUI-I-COMPWERR, operation completed after explicit continuation from errors
And works in the real world ...
> |$ @SSL111$ROOT:[COM]SSL111$UTILS.COM
> |$ openssl version
> |OpenSSL 1.1.1s 1 Nov 2022
> |SSL111 for OpenVMS V1.1(1S) Dec 14 2022
> |$ openssl s_client -connect eisner.decus.org:443
> |CONNECTED(00000003)
> |
> |depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> |verify error:num=20:unable to get local issuer certificate
> |verify return:1
> |depth=1 C = US, O = Let's Encrypt, CN = R3
> |verify return:1
> |depth=0 CN = eisner.decus.org
> |verify return:1
> 8< snip 8<
> |---
> |read R BLOCK
> |closed
And OpenSSL version 3 ...
> 8< snip 8<
> |The following product has been selected:
> | VSI AXPVMS SSL3 V3.0-7 Layered Product
> |
> |Do you want to continue? [YES]
> |
> |Configuration phase starting ...
> |
> |You will be asked to choose options, if any, for each selected product and for
> |any products that may be installed to satisfy software dependency requirements.
> |
> |Configuring VSI AXPVMS SSL3 V3.0-7: SSL3 for OpenVMS AXP V3.0-7 (Based on OpenSSL 3.0.7)
> |
> | Copyright 2022 VMS Software, Inc.
> 8< snip 8<
> |%PCSI-I-IVPEXECUTE, executing test procedure for VSI AXPVMS SSL3 V3.0-7 ...
> |%PCSI-I-IVPSUCCESS, test procedure completed successfully
> 8< snip 8<
> |%PCSIUI-I-COMPWERR, operation completed after explicit continuation from errors
>
> |$ @SSL3$ROOT:[COM]SSL3$UTILS.COM
> |$ openssl version
> |OpenSSL 3.0.7 9 Nov 2022 (Library: OpenSSL 3.0.7 9 Nov 2022)
> |SSL3 for OpenVMS V3.0(7) Dec 14 2022 (Library: SSL3 for OpenVMS V3.0(7) Dec 14 2022)
> |$ openssl s_client -connect eisner.decus.org:443
> |CONNECTED(00000003)
> |
> |depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> |verify error:num=20:unable to get local issuer certificate
> |verify return:1
> |depth=1 C = US, O = Let's Encrypt, CN = R3
> |verify return:1
> |depth=0 CN = eisner.decus.org
> |verify return:1
> 8< snip 8<
> |---
> |read R BLOCK
> |closed
--
Anyone, who using social-media, forms an opinion regarding anything
other than the relative cuteness or this or that puppy-dog, needs
seriously to examine their critical thinking.
More information about the Info-vax
mailing list