[Info-vax] VSI STunnel question

Rich Jordan jordan at ccs4vms.com
Wed Apr 12 12:02:44 EDT 2023 

On Tuesday, April 11, 2023 at 2:49:08 PM UTC-5, Duncan Morris wrote:
> On Tuesday, 11 April 2023 at 15:33:55 UTC+1, Rich Jordan wrote: 
> > Got a customer moving from HP VMS (Integrity) to VSI. They currently use STunnel-4_20 from HP with SSL1 V1.0.20 (OpenSSL 1.0.2o), and a test upgrade to VSI VMS without updating SSL1 has it working in the same environment. This is using self signed certs (CA on VMS) and strictly within the company's networks. 
> > 
> > The VSI STunnel V5.56 says it was built with OpenSSL V1.1.1g and statically linked. The package does NOT list SSL/SSL1 as a prereq in the release notes; does that mean it should work as a standalone package without regard to the version of SSL/SSL1 installed (or if SSL/SSL1 is even installed at all)? 
> > 
> > I'm waiting on the customer to provide their VSI support info, so asking here first. Thanks!
> As it is statically linked, there is no call out to the SSL shareable images. Rather all the required SSL modules are already included in the image, leaving no pre-requisites. 
> I understand that the next VSI stunnel release will be statically linked with SSL 3.0.x. 
> 
> I personally maintain a port of stunnel for OpenVMS for our customers. i used to link the image dynamically against the shareable SSLx images. However, as the clients vary widely in their installed levels of SSLSSL1/SSL3, I now link our image statically with SSL3 and am able to implement it regardless of the client's patch levels.

Thanks for replying.

We installed it on the test server and aimed it at the existing certs, and it looks like we'll have to build a new CA and generate new certs.  The new Stunnel won't start with what we have, complaining about 
":SSL routines:SSL_CTX_use_certificate:ca md too weak".

The existing server certs are only good for 4 more months and are the only ones using this in-house CA so its not a major issue, just an additional to-do.  Hopefully the SSL1 on VMS procedures haven't changed too much so the docs we wrote up last time are still valid.

Thanks

More information about the Info-vax mailing list