HP OpenVMS Systems

SSL (Secure Sockets Layer)



HP SSL for OpenVMS

HPE is glad to announce the release and general availability of HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream) to all our customers as on 18th Dec’2015.

Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function.

Securing communication channels to OpenVMS applications over a TCP/IP connection can be accomplished through the use of SSL. The OpenSSL APIs establish private, authenticated and reliable communications links between applications.

NOTE: HPE recommends all customers to migrate to the HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream) before 31st March 2016. As part of your migration activities if you require assistance, please contact an HPE representative.

If your migration activities are expected to extend beyond 31st March 2016, please let the HPE representative know by 31st January 2016.

Post this migration window, OpenVMS engineering would be able to support customers only on the HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream). Post 31st December 2015, OpenSSL community will not support V 0.9.8 stream. Hence HP SSL 1.4 based on OpenSSL V 0.9.8 stream will not have any security fixes.

Hewlett Packard Enterprise is pleased to provide you with the HPE-supported HPE SSL1 Version 1.0-2L for OpenVMS based on OpenSSL 1.0.2C and includes the following security updates from OpenSSL.org.

»  Download HPE SSL1 Version 1.0-2Lfor OpenVMS Integrity servers   (July 2017)
HPE SSL1 Version 1.0-2L for OpenVMS Integrity servers IS not backward compatible with HP SSL Version 1.4 or earlier versions.

Vulnerabilities CVE/CAN:
CVE-2017-3731
CVE-2017-3732
CVE-2016-7052
CVE-2016-6304
CVE-2016-2183
CVE-2016-6303
CVE-2016-6302
CVE-2016-2182
CVE-2016-2180
CVE-2016-2177
CVE-2016-2178
CVE-2016-2179
CVE-2016-2181
CVE-2016-6306
CVE-2016-6304
CVE-2016-6303
CVE-2016-6302

»  Download HPE SSL Version 1.4-0503 for OpenVMS Integrity servers and Alpha   (February, 2016)
HPE SSL Version 1.4-0503 for OpenVMS Alpha and Integrity servers are based on OpenSSL 0.9.8zh.

»  Download HPE SSL1 Version 1.0-2H for OpenVMS Integrity servers and Alpha   (July, 2016)
HPE SSL1 Version 1.0-2H for OpenVMS Alpha and Integrity servers are not backward compatible with HP SSL Version 1.4 or earlier versions.

From HPE SSL1 V1.0-2H, all SSLv2 methods, Weak Ciphers and EXPORT Ciphers are disabled.

Applications using SSLv2 methods need appropriate modifications. Here is an excerpt from “Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)”

http://openssl.org/news/secadv/20160301.txt

For more please check “Release Notes” Section in Installation Guide and Release Notes.



Vulnerabilities CVE/CAN:

For more information on OpenSSL, visit OpenSSL Website : www.openssl.org

The vulnerabilities addressed in different versions of OpenSSL are located at https://www.openssl.org/news/vulnerabilities.html



HP SSL1 V1.0 is not Backward Compatible with HP SSL V1.4 and 1.3!

The HPE SSL1 Version 1.0-2H for OpenVMS is based on the 1.0.2G base level of OpenSSL and is not backward compatible with the earlier HP SSL V1.4 and 1.3 versions.

Users can have both HPE SSL1 V1.0 and HP SSL V1.4 products co-exist on the same system as product names are different. Even the executable images, sharable files, include files and other files shipped along with these kits have different naming conventions and locations. For more information, see HPE SSL1 Version 1.0-2H for OpenVMS Installation Guide and Release Notes



HP SSL V1.4 is not Backward Compatible with HP SSL V1.3!

The HP SSL Version 1.4 for OpenVMS is based on the 0.9.8h base level of OpenSSL. Some of the OpenSSL APIs, data structures and commands are changed from the previous HP SSL version 1.3 (based on OpenSSL 0.9.7e).

If you were running a version of HP SSL prior to Version 1.4 and your application is dependent on the SSL, you must recompile and re-link your code after you upgrade to Version 1.4.

You must recompile and re-link your code with the latest SSL header files and shareable images if you see the following error:

    $ run ssl_test
    %DCL-W-ACTIMAGE, error activating image SSL$LIBSSL_SHR32
    -CLI-E-IMGNAME, image file
    DWLLNG$DKA500:[SYS0.SYSCOMMON.][SYSLIB]SSL$LIBSSL_SHR32.EXE
    -SYSTEM-F-SHRIDMISMAT, ident mismatch with shareable image
    $

For information about installing HP SSL Version 1.4 and HP SSL Version 1.3, see the HP SSL Installation Guide and Release Notes.

» If application migration from HP OpenVMS SSL V1.3 to V1.4 is not possible immediately, a temporary work around is provided in the "Advisory for HP OpenVMS SSL users on OpenVMS V8.4 for Integrity servers and Alpha platform".



Products depending on HPE SSL1 (or HP SSL)

Following is the list of HP products or components that are dependent on HPE SSL1 (or HP SSL). The products and their dependent products needs appropriate HPE SSL1 (or HP SSL) libraries to be present on the system. Visit the specific product web site or HP support center (for patches) to identify the version of the product and its compatibility with either HPE SSL1 or HP SSL.

  • LDAP (visit HP support center for patches)
  • ENCRYPT (visit HP support center for patches)
  • Stunnel
  • HP BINARY CHECKER (visit HP support center for patches)
  • HP System Management Homepage (HP SMH) for OpenVMS
  • HP WBEM Services for OpenVMS Integrity servers
  • HP OpenView Operations Agent for OpenVMS
  • Secure Web Server
  • ABS (visit HP support center for patches)
  • HP Enterprise Directory (visit HP support center for patches))

If any of the products are dependent on these dependent products, such products will also need appropriate HPE SSL1 (or HP SSL) libraries.

For more information on OpenVMS partner support, please see your local HP representative or contact us ›.