VSI SSL31 for OpenVMS V3.1-4 Release Notes February 2024 Based on OpenSSL 3.1.4 VSI SSL31 V3.1-4 for OpenVMS X86_64 server VSI-X86VMS-SSL31-V0301-4-1.PCSI ---------------------------------------------------------- VMS Software, Inc. is pleased to provide you with the latest release of VSI SSL31 for OpenVMS. VSI SSL31 (Secure Sockets Layer) is based on the 3.1.4 release from the OpenSSL Group. The VSI SSL31 product is designed to co-exist with VSI SSL111 and VSI SSL3 so that applications and components dependent on either version will run on the same system. Below is the snapshot of co-existing VSI SSL111, VSI SSL3 and VSI SSL31: $ product show product ssl* ------------------------------------ ----------- --------- PRODUCT KIT TYPE STATE ------------------------------------ ----------- --------- VSI X86VMS SSL111 V1.1-1M Full LP Installed VSI X86VMS SSL3 V3.0-12 Full LP Installed VSI X86VMS SSL31 V3.1-4 Full LP Installed ------------------------------------ ----------- --------- 3 items found For more information related to coexistence in terms of using a directory structures, command procedure names, libraries, and logical names refer to SSL31_X86_INSTALL_RELEASE_NOTES.TXT "Installation Guide and Release Notes" found in the SYS$COMMON:[SSL31.DOC] directory. See http://www.openssl.org for information about OpenSSL. There are post-installation activities that need to be performed. This includes the following items are described in detail: - Ensuring SSL31 startup and logical name creation files are executed - Updating or copying the necessary startup, shutdown, and configuration files from the installed template files - Running the Installation Verification Procedure (IVP) The SSL31 installation creates the following directory structure and files in PCSI$DESTINATION, which defaults to SYS$SYSDEVICE:[VMS$COMMON]: [SSL31] - Top-level SSL31 directory [SSL31.X86_64_EXE] - Contains the images for the X86_64 server platform* [SSL31.COM] - Directory to hold the various command procedures [SSL31.DEMOCA] - Directory structure to demo SSL31's CA features [SSL31.DEMOCA.CERTS] - Directory to hold the certificates and keys [SSL31.DEMOCA.CONF] - Contains the configuration files [SSL31.DEMOCA.CRL] - Contains revoked certificates and CRLs [SSL31.DEMOCA.PRIVATE] - Directory for private keys and random data [SSL31.DOC] - OpenSSL.org provided documentation and information [SSL31.INCLUDE] - Contains the C Header (.H) files [SSL31.LIB] - Contains static libraries (.OLB) files [SSL31.MODULES] - Contains dynamically loadable OpenSSL modules [SYS$STARTUP] - Startup and shutdown templates and files [SYSHLP] - Release notes [SYSHLP.EXAMPLES.SSL31]- SSL31 crypto and secure session examples [SYSLIB] - SSL31 shareable image files [SYSTEST] - SSL31$IVP.COM test file * Note: Each system will have only one xxx_EXE.DIR, depending on the architecture of the system. SSL31 startup, shutdown, and logical names ------------------------------------------- Add SSL31$STARTUP.COM to SYS$MANAGER:SYSTARTUP_VMS.COM to define SSL31$ logical names and install shareable images. If there is already a SSL111$STARTUP.COM or SSL3$STARTUP.COM present in SYSTARTUP_VMS.COM you can either comment these out or conditionalize the command procedure as appropriate. For example: $ if f$search("sys$startup:ssl111$startup.com") .nes. "" $ then $ @sys$startup:ssl111$startup.com $ endif $ if f$search("sys$startup:ssl3$startup.com") .nes. "" $ then $ @sys$startup:ssl3$startup.com $ endif $ if f$search("sys$startup:ssl31$startup.com") .nes. "" $ then $ @sys$startup:ssl31$startup.com $ endif The SSL31$STARTUP.COM, SSL3$STARTUP.COM, SSL111$STARTUP.COM startup command procedures in the above example will automatically define the SSL31$, SSL3$, SSL111$ executive-mode logical names in the SYSTEM logical name table and will install into memory the SSL31, SSL3, SSL111 shareable images that reside in the [SYSLIB] directory. Ensure that the SSL31$STARTUP.COM command procedure is invoked after invoking SSL3$STARTUP.COM and/or SSL111$STARTUP.COM. The command procedures define a common logical "OPENSSL" that points to the include (header) file directory used when building applications using OpenSSL. Invoking SSL31$STARTUP.COM last ensures that the logical is defined to correctly point to the latest VSI SSL31 3.1 header files. Also, add SSL31$SHUTDOWN.COM to SYS$MANAGER:SYSHUTDWN.COM to remove installed images and deassign the SSL31$ logical names at the system shutdown. If there is a SSL111$SHUTDOWN.COM or SSL3$SHUTDOWN.COM already present in SYS$MANAGER:SYSHUTDWN.COM, conditionalize the script as appropriate. For example: $ if f$search("sys$startup:ssl111$shutdown.com") .nes. "" $ then $ @sys$startup:ssl111$shutdown.com $ endif $ if f$search("sys$startup:ssl3$shutdown.com") .nes. "" $ then $ @sys$startup:ssl3$shutdown.com $ endif $ if f$search("sys$startup:ssl31$shutdown.com") .nes. "" $ then $ @sys$startup:ssl31$shutdown.com $ endif Please refer to "Logical names" under the section "Coexistence and major changes between VSI SSL111, VSI SSL3 and VSI SSL31" in VSI SSL31 installation guide. Apply SSL specific changes to SSL31 files ------------------------------------------ If this is the first time using a system with VSI SSL31 V3.1 and there exist site-specific changes to VSI SSL111 or VSI SSL3 files then it may be necessary to migrate those changes to the SSL31 environment. Examples: - Copy any manual changes done to the site-specific startup command procedure SSL111$COM:SSL111$SYSTARTUP.COM or SSL3$COM:SSL3$SYSTARTUP.COM to SSL31$COM:SSL31$SYSTARTUP.COM. - If SSL111$COM:SSL111$SYSTARTUP.COM or SSL3$COM:SSL3$SYSTARTUP.COM has any manual changes, ensure that these changes are copied to the site-specific startup command procedure SSL31$COM:SSL31$SYSTARTUP.COM. This command procedure will be invoked by SYS$STARTUP:SSL31$STARTUP.COM. - Copy any manual changes done to the site-specific shutdown command procedure SSL111$COM:SSL111$SYSHUTDOWN.COM or SSL3$COM:SSL3$SYSHUTDOWN.COM to SSL31$COM:SSL31$SYSHUTDOWN.COM. - If SYS$STARTUP:SSL111$SHUTDOWN.COM or SYS$STARTUP:SSL3$SHUTDOWN.COM has any manual changes, ensure that these changes are copied to the site-specific shutdown command procedure SSL31$COM:SSL31$SYSHUTDOWN.COM. This command procedure will be invoked by SYS$STARTUP:SSL31$SHUTDOWN.COM. - Copy any manual changes done to the OpenSSL configuration file SSL111$ROOT:[000000]OPENSSL.CNF or SSL3$ROOT:[000000]OPENSSL.CNF to SSL31$ROOT:[000000]OPENSSL.CNF. - Copy any manual changes done to the OpenSSL configuration file SSL111$ROOT:[000000]OPENSSL-VMS.CNF or SSL3$ROOT:[000000]OPENSSL-VMS.CNF to SSL31$ROOT:[000000]OPENSSL-VMS.CNF. - If any other of *.CNF files from previous releases are intended to be used with VSI SSL31 V3.1, insert ".pragma dollarid:on" statement as the first line in order to make the '$' sign without '{}' treated as usual character (not as a substitution template) in VMS paths. - Migrate any SSL certificates store content to VSI SSL31 V3.1 by following the steps highlighted under "Migrate certificate store from VSI SSL111 or VSI SSL3 V3.0 to VSI SSL31 V3.1" to SSL31 V3.1". SSL31 Symbols -------------- SSL31 foreign symbols are defined with the SSL31 command procedure SSL31$COM:SSL31$UTILS.COM as follows: $ @SSL31$COM:SSL31$UTILS.COM Installation Verification Procedure (IVP) ----------------------------------------- The base installation verification procedure checks for the presence of all the required files and logical names. The procedure also initiates the executable image to check if shareable images are accessible. Normally the base Installation Verification Procedure (IVP) is executed when SSL31 is installed. To run the SSL31 base IVP manually, type the following command: $ @SYS$TEST:SSL31$IVP.COM Note that the IVP would not be executed at installation time if the PCSI qualifier /NOTEST was utilized. Removing SSL31 --------------- To remove SSL31 from the system disk or destination directory, type the following command: $ PRODUCT REMOVE SSL31 Note that some files may remain and will not be removed when the VSI SSL31 product is removed. These are generated files such as SSL31$IVP.LOG that get created by running the IVP test program and other files such as certificates that have been created in the SSL31$CERTS directory. Migrate certificate store from VSI SSL111 V1.1 or VSI SSL3 V3.0 to VSI SSL31 V3.1: ---------------------------------------------------------------------------------- - The top level directory structure of VSI SSL31 V3.1 is modified to SYS$SYSDEVICE:[VMS$COMMON.SSL31] from SYS$SYSDEVICE:[VMS$COMMON.SSL3] or SYS$SYSDEVICE:[VMS$COMMON.SSL111] (Which are the top level directory of VSI SSL111 V1.1 and VSI SSL3 V3.0 respectively). In case there is a certificate store manually created in SYS$SYSDEVICE:[VMS$COMMON.SSL111.DEMOCA...] or SYS$SYSDEVICE:[VMS$COMMON.SSL3.DEMOCA...], copy the certificate store to SYS$SYSDEVICE:[VMS$COMMON.SSL31.DEMOCA...]. For more information, see the manual pages and documentation in https://www.openssl.org/docs/index.html