[Info-vax] VSI STunnel question

Duncan Morris duncanjmmorris at gmail.com
Wed Apr 12 15:52:27 EDT 2023 

On Wednesday, 12 April 2023 at 17:02:47 UTC+1, Rich Jordan wrote:
> On Tuesday, April 11, 2023 at 2:49:08 PM UTC-5, Duncan Morris wrote: 
> > On Tuesday, 11 April 2023 at 15:33:55 UTC+1, Rich Jordan wrote: 
> > > Got a customer moving from HP VMS (Integrity) to VSI. They currently use STunnel-4_20 from HP with SSL1 V1.0.20 (OpenSSL 1.0.2o), and a test upgrade to VSI VMS without updating SSL1 has it working in the same environment. This is using self signed certs (CA on VMS) and strictly within the company's networks. 
> > > 
> > > The VSI STunnel V5.56 says it was built with OpenSSL V1.1.1g and statically linked. The package does NOT list SSL/SSL1 as a prereq in the release notes; does that mean it should work as a standalone package without regard to the version of SSL/SSL1 installed (or if SSL/SSL1 is even installed at all)? 
> > > 
> > > I'm waiting on the customer to provide their VSI support info, so asking here first. Thanks! 
> > As it is statically linked, there is no call out to the SSL shareable images. Rather all the required SSL modules are already included in the image, leaving no pre-requisites. 
> > I understand that the next VSI stunnel release will be statically linked with SSL 3.0.x. 
> > 
> > I personally maintain a port of stunnel for OpenVMS for our customers. i used to link the image dynamically against the shareable SSLx images. However, as the clients vary widely in their installed levels of SSLSSL1/SSL3, I now link our image statically with SSL3 and am able to implement it regardless of the client's patch levels.
> Thanks for replying. 
> 
> We installed it on the test server and aimed it at the existing certs, and it looks like we'll have to build a new CA and generate new certs. The new Stunnel won't start with what we have, complaining about 
> ":SSL routines:SSL_CTX_use_certificate:ca md too weak". 
> 
> The existing server certs are only good for 4 more months and are the only ones using this in-house CA so its not a major issue, just an additional to-do. Hopefully the SSL1 on VMS procedures haven't changed too much so the docs we wrote up last time are still valid. 
> 
> Thanks

Rich, I would recommend checking out the stunnel manual for several new parameters relating to security.
https://www.stunnel.org/static/stunnel.html

Particularly look at the new securityLevel = LEVEL option. The default setting is probably responsible for complaining out the existing CA and certs.

More information about the Info-vax mailing list