OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003................7 Announcement.......................................................................................................................................7 OpenSSL A.00.09.07m and A.00.09.08o features....................................................................................8 Ciphers...............................................................................................................................
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 4 Default OpenSSL depot versions for HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3..............7 OpenSSL A.00.09.07m PA-RISC libraries......................................................................................11 OpenSSL A.00.09.07m Intel Itanium®® libraries.........................................................................12 OpenSSL A.00.09.08o PA-RISC libraries..............................................................................
List of Examples 1-1 1-2 1-3 1-4 1-5 1-6 1-7 You have the Internet Express version installed on your machine...............................................26 You have the OpenSSL A.00.09.07i version installed on your machine........................................26 You do not have an HP-UX depot installed, but have downloaded the source code and built the product yourself......................................................................................................................
1 OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003 This document contains the most recent product information for OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003 supported on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3, respectively. This document contains the following information: • • • • OpenSSL Features Installing OpenSSL Using the OpenSSL command-line Tool Frequently Asked Questions (FAQs) Announcement This version of OpenSSL is based on the open source OpenSSL 0.9.
./Configure threads zlib shared no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.07m and linked against FIPS-1.1.2 module) is built with the following options: ./Configure threads zlib shared no-rc5 no-idea no-krb5 no-mdc2 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.08o and linked against FIPS-1.2 module) is built with the following options: .
• • Rivest Cipher 2 (RC2) Rivest Cipher 4 (RC4) Message digest A message digest is a piece of data that can be used to verify that the contents of the message has not been altered during transit. When a message is sent over a network, the sender computes a message digest by performing a one-way hash function using a secret key known only to the sender and recipient. The recipient also computes the message digest by performing the same one-way hash function using the secret key.
• • Public-Key Cryptography Standard 8 (PKCS#8) – Stores private keys. Public-Key Cryptography Standard 12 (PKCS#12) – Stores keys and certificates in browsers. What is in OpenSSL A.00.09.08o OpenSSL A.00.09.08o supports all the security features that are available in OpenSSL A.00.09.07m. In addition, OpenSSL A.00.09.08o also supports the following public-key encryptions: • Elliptic Curve Crypto (ECC) • Elliptic Curve Diffie-Hellman (ECDH) • Elliptic Curve Digital Signature Algorithm (ECDSA) OpenSSL A.00.
Table 1-2 OpenSSL A.00.09.07m PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.7/lib/ libssl.0.9.7m.a • • • • /usr/lib/libssl.a * /opt/openssl/lib/libssl.a * /opt/openssl/0.9.7/lib/libssl.a /opt/openssl/0.9.8/lib/libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ libcrypto.0.9.7m.a • • • • /usr/lib/libcrypto.a * /opt/openssl/lib/libcrypto.a * /opt/openssl/0.9.7/lib/libcrypto.a /opt/openssl/0.9.8/lib/libcrypto.0.9.7m.a /opt/openssl/0.9.7/lib/ libssl.sl.
Table 1-2 OpenSSL A.00.09.07m PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 64-bit shared /opt/openssl/0.9.7/lib/ pa20_64/libssl.sl.0 • • • • • • /usr/lib/pa20_64/libssl.sl * /usr/lib/pa20_64/libssl.sl.0 /opt/openssl/lib/pa20_64/libssl.sl * /opt/openssl/lib/pa20_64/libssl.sl.0 /opt/openssl/0.9.7/lib/pa20_64/libssl.sl /opt/openssl/0.9.8/lib/pa20_64/libssl.sl.0 /opt/openssl/0.9.7/lib/ pa20_64/libcrypto.sl.0 • • • • • • /usr/lib/pa20_64/libcrypto.
Table 1-3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link 32-bit shared /opt/openssl/0.9.7 /hpux32/libssl.so.0 • • • • • • /usr/lib/hpux32/libssl.so * /usr/lib/hpux32/libssl.so.0 /opt/openssl/lib/hpux32/libssl.so * /opt/openssl/lib/hpux32/libssl.so.0 /opt/openssl/0.9.7/lib/hpux32/libssl.so /opt/openssl/0.9.8/lib/hpux32/libssl.so.0 /opt/openssl/0.9.7/ hpux32/libcrypto.so.0 • • • • • • /usr/lib/hpux32/libcrypto.so * /usr/lib/hpux32/libcrypto.so.
Table 1-3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link 64-bit static /opt/openssl/0.9.7/lib/ hpux64/libssl.0.9.7m.a • • • • /usr/lib/hpux64/libssl.a * /opt/openssl/lib/hpux64/libssl.a * /opt/openssl/0.9.7/lib/hpux64/libssl.a /opt/openssl/0.9.8/lib/hpux64/ libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ hpux64/libcrypto.0.9.7m.a • • • • /usr/lib/hpux64/libcrypto.a * /opt/openssl/lib/hpux64/libcrypto.a * /opt/openssl/0.9.7/lib/hpux64/libcrypto.
NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.07m. Table 1-4 OpenSSL A.00.09.08o PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ libssl.0.9.8n.a • • • • /usr/lib/libssl.a * /opt/openssl/lib/libssl.a * /opt/openssl/0.9.8/lib/libssl.a /opt/openssl/0.9.7/lib/libssl.0.9.8n.a /opt/openssl/0.9.8/lib/ libcrypto.0.9.8n.a • • • • /usr/lib/libcrypto.a * /opt/openssl/lib/libcrypto.a * /opt/openssl/0.9.
Table 1-4 OpenSSL A.00.09.08o PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 64-bit shared /opt/openssl/0.9.8/lib/ pa20_64/libssl.sl.1 • • • • • • /usr/lib/pa20_64/libssl.sl * /usr/lib/pa20_64/libssl.sl.1 /opt/openssl/lib/pa20_64/libssl.sl * /opt/openssl/lib/pa20_64/libssl.sl.1 /opt/openssl/0.9.8/lib/pa20_64/libssl.sl /opt/openssl/0.9.7/lib/pa20_64/libssl.sl.1 /opt/openssl/0.9.8/lib/ pa20_64/libcrypto.sl.1 • • • • • • /usr/lib/pa20_64/libcrypto.
Table 1-5 OpenSSL A.00.09.08o Intel Itanium libraries (continued) Library Library Name/Location Symbolic Link 32-bit shared /opt/openssl/0.9.8/lib/ hpux32/ • libssl.so.1 • • • • • /usr/lib/hpux32/libssl.so * /usr/lib/hpux32/libssl.so.1 /opt/openssl/lib/hpux32/libssl.so * /opt/openssl/lib/hpux32/libssl.so.1 /opt/openssl/0.9.8/lib/hpux32/libssl.so /opt/openssl/0.9.7/lib/hpux32/libssl.so.1 /opt/openssl/0.9.8/lib/ hpux32/ • libcrypto.so.1 • • • • • /usr/lib/hpux32/libcrypto.
Table 1-5 OpenSSL A.00.09.08o Intel Itanium libraries (continued) Library Library Name/Location 64-bit static /opt/openssl/0.9.8/lib/ hpux64/ • libssl.0.9.8n.a • • • /usr/lib/hpux64/libssl.a * /opt/openssl/lib/hpux64/libssl.a * /opt/openssl/0.9.8/lib/hpux64/libssl.a /opt/openssl/0.9.7/lib/hpux64/ libssl.0.9.8n.a /opt/openssl/0.9.8/lib/ hpux64/ • libcrypto.0.9.8n.a • • • /usr/lib/hpux64/libcrypto.a * /opt/openssl/lib/hpux64/libcrypto.a * /opt/openssl/0.9.8/lib/hpux64/libcrypto.a /opt/openssl/0.9.
• • • • Creating and viewing RSA, DSA, and DH public keys Encrypting or decrypting a file using a public key or private key, respectively Creating X.509 certificates, certificate requests, and Certificate Revocation Lists (CRL) Managing the Certificate Authority (CA) Strong random number generator for HP-UX 11i V1 OpenSSL A.00.09.07m requires a strong random number generator to provide secure and non reproducible keys and certificates. OpenSSL A.00.09.
Known problems There are no known problems in OpenSSL A.00.09.08o. In OpenSSL A.00.09.07m, due to the nonperformance of MD5, SHA1 is used as the default Message-Digest Algorithm (md). Compatibility information and installation requirements This section lists the system and patch requirements for OpenSSL A.00.09.07m and A.00.09.08o. System requirements Table 1-6 specifies the minimum system requirements for installing OpenSSL A.00.09.07m, and A.00.09.08o.
Installing OpenSSL To install OpenSSL, complete the following steps: 1. 2. 3. Log in as root. Insert the software CD into the appropriate drive if you are installing from the Application Release CD. If you are downloading the software package from the Software Depot, download the depot and follow the instructions provided in the installation page for OpenSSL. Run the following command: $swinstall -s 4. 5. 6. 7. 8. 9.
Table 1-9 The Openssl command-line options (continued) Option Name Description genrsa Generation of RSA parameters req X.509 Certificate Signing Request (CSR) management rsa RSA data management verify X.509 certificate verification x509 X.509 certificate data management For more information on openssl command-line options, refer to openssl(1). Using Openssl This section explains the use of the openssl command-line tool with examples. For more information, refer to the openssl(1) manpage.
This command displays the modulus, exponent, and prime key values of the key pair stored in the key.pem file. If the key pair stored in key.pem is encrypted, then this commands prompts the user for the pass phrase. Creating an RSA certificate request Following is the syntax to create a new certificate request: # openssl req -new -nodes -out -keyout -subj Where: specifies the file to which the certificate request is written.
• • • • • OpenSSL Website at: http://www.openssl.org/ OpenSSL FAQ at: http://www.openssl.org/support/faq.html OpenSSL mailing list at: http://marc.theaimsgroup.com/?l=openssl-users The Transport Layer Security (TLS) Internet Engineering Task Force (IETF) Working Groups at: http://www.ietf.org/html.charters/wg-dir.html#Security%20Area OpenSSL APIs at: http://www.opensslbook.com/api/index.html OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.
http://software.hp.com 6 7 8 Does installing OpenSSL require a kernel rebuild? No. OpenSSL contains application libraries and a command-line tool. It does not require a kernel rebuild or system reboot. How can I install OpenSSL A.00.09.07m or A.00.09.08o? You can install OpenSSL A.00.09.07m or A.00.09.08o from the application CD or the Web using the swinstall command. How can I uninstall OpenSSL A.00.09.07m or A.00.09.
or A.00.09.08o, you must first uninstall the HP-UX Internet Express OpenSSL product. If you attempt to install OpenSSL A.00.09.07m or A.00.09.08o on a system without removing the HP-UX Internet Express OpenSSL product, the OpenSSL A.00.09.07m and A.00.09.08o installation fails with an error message. If you have HP-UX Internet Express OpenSSL 0.9.7c installed on your system, use the following command to remove it: # swremove ixOpenSSL 14 I have already built Open Source OpenSSL 0.9.7m or A.0.9.
Example 1-4 When an old version of OpenSSL from Internet Express is installed on the system # what /usr/bin/openssl OpenSSL A.02.00-0.9.7c Example 1-5 If you are running OpenSSL A.00.09.08o.003 on HP-UX 11i V3 # what /usr/bin/openssl /usr/bin/openssl: $OpenSSL A.00.09.08o.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08o.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08o.003, Zlib: v1.2.3 $ Example 1-6 When OpenSSL A.00.09.07m.
