HP OpenVMS Systems

SSL (Secure Sockets Layer)

HP SSL for OpenVMS

HPE is glad to announce the release and general availability of HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream) to all our customers as on 18th Dec’2015.

Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function.

Securing communication channels to OpenVMS applications over a TCP/IP connection can be accomplished through the use of SSL. The OpenSSL APIs establish private, authenticated and reliable communications links between applications.

NOTE: HPE recommends all customers to migrate to the HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream) before 31st March 2016. As part of your migration activities if you require assistance, please contact an HPE representative.

If your migration activities are expected to extend beyond 31st March 2016, please let the HPE representative know by 31st January 2016.

Post this migration window, OpenVMS engineering would be able to support customers only on the HP SSL1 V 1.0 (Based on OpenSSL V1.0.2 stream). Post 31st December 2015, OpenSSL community will not support V 0.9.8 stream. Hence HP SSL 1.4 based on OpenSSL V 0.9.8 stream will not have any security fixes.

»  Download HPE SSL Version 1.4-0503 for OpenVMS Integrity servers and Alpha   (February, 2016)
HPE SSL Version 1.4-0503 for OpenVMS Alpha and Integrity servers are based on OpenSSL 0.9.8zh..

»  Download HPE SSL1 Version 1.0-2G for OpenVMS Integrity servers and Alpha   (March, 2016)
HPE SSL1 Version 1.0-2G for OpenVMS Alpha and Integrity servers are not backward compatible with HP SSL Version 1.4 or earlier versions.

From HPE SSL1 V1.0-2G, all SSLv2 methods, Weak Ciphers and EXPORT Ciphers are disabled.

Applications using SSLv2 methods need appropriate modifications. Here is an excerpt from “Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)”


SSLv2 is now by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of:

SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or

SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

Vulnerabilities CVE/CAN:

For more information on OpenSSL, visit OpenSSL Website : www.openssl.org

The vulnerabilities addressed in different versions of OpenSSL are located at https://www.openssl.org/news/vulnerabilities.html

HP SSL1 V1.0 is not Backward Compatible with HP SSL V1.4 and 1.3!

The HPE SSL1 Version 1.0-2CG for OpenVMS is based on the 1.0.2C base level of OpenSSL and is not backward compatible with the earlier HP SSL V1.4 and 1.3 versions.

Users can have both HPE SSL1 V1.0 and HP SSL V1.4 products co-exist on the same system as product names are different. Even the executable images, sharable files, include files and other files shipped along with these kits have different naming conventions and locations. For more information, see HPE SSL1 Version 1.0-2G for OpenVMS Installation Guide and Release Notes

HP SSL V1.4 is not Backward Compatible with HP SSL V1.3!

The HP SSL Version 1.4 for OpenVMS is based on the 0.9.8h base level of OpenSSL. Some of the OpenSSL APIs, data structures and commands are changed from the previous HP SSL version 1.3 (based on OpenSSL 0.9.7e).

If you were running a version of HP SSL prior to Version 1.4 and your application is dependent on the SSL, you must recompile and re-link your code after you upgrade to Version 1.4.

You must recompile and re-link your code with the latest SSL header files and shareable images if you see the following error:

    $ run ssl_test
    %DCL-W-ACTIMAGE, error activating image SSL$LIBSSL_SHR32
    -CLI-E-IMGNAME, image file
    -SYSTEM-F-SHRIDMISMAT, ident mismatch with shareable image

For information about installing HP SSL Version 1.4 and HP SSL Version 1.3, see the HP SSL Installation Guide and Release Notes.

» If application migration from HP OpenVMS SSL V1.3 to V1.4 is not possible immediately, a temporary work around is provided in the "Advisory for HP OpenVMS SSL users on OpenVMS V8.4 for Integrity servers and Alpha platform".

Products depending on HPE SSL1 (or HP SSL)

Following is the list of HP products or components that are dependent on HPE SSL1 (or HP SSL). The products and their dependent products needs appropriate HPE SSL1 (or HP SSL) libraries to be present on the system. Visit the specific product web site or HP support center (for patches) to identify the version of the product and its compatibility with either HPE SSL1 or HP SSL.

  • LDAP (visit HP support center for patches)
  • ENCRYPT (visit HP support center for patches)
  • Stunnel
  • HP BINARY CHECKER (visit HP support center for patches)
  • HP System Management Homepage (HP SMH) for OpenVMS
  • HP WBEM Services for OpenVMS Integrity servers
  • HP OpenView Operations Agent for OpenVMS
  • OpenView Performance Agent (OVPA) for OpenVMS
  • Secure Web Server
  • ABS (visit HP support center for patches)
  • HP Enterprise Directory (visit HP support center for patches))

If any of the products are dependent on these dependent products, such products will also need appropriate HPE SSL1 (or HP SSL) libraries.

For example, iCAP/nPar which is dependent on HP WBEM Services

    $ backup/encrypt command which is dependent on Encrypt.

For more information on OpenVMS partner support, please see your local HP representative or contact us ›.