OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.012...................7 Announcement.......................................................................................................................................7 What is in OpenSSL A.00.09.07m and A.00.09.08n.................................................................................8 Ciphers.............................................................................................................................
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 4 Default OpenSSL Depot versions for HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3................7 OpenSSL A.00.09.07m PA-RISC libraries......................................................................................11 OpenSSL A.00.09.07m Intel® Itanium® libraries.........................................................................12 OpenSSL A.00.09.08n PA-RISC libraries.......................................................................
List of Examples 1-1 1-2 1-3 1-4 1-5 If you are running OpenSSL A.00.09.07m.e001 on HP-UX 11i v1.................................................24 If you are running OpenSSL A.00.09.08n.012 on HP-UX 11i v3...................................................24 When an old version of OpenSSL from Internet Express is installed on the system....................24 When OpenSSL A.00.09.07m.e002 is installed on an HP-UX 11i v2 operating system................
1 OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.012 This document contains the most recent product information for OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.00.09.08n.012 supported on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 respectively. Use this document for the following information: • • • • OpenSSL Features Installing OpenSSL Using the OpenSSL command-line Tool Frequently Asked Questions (FAQs) Announcement This version of OpenSSL is based on the open source OpenSSL 0.9.7m and 0.
./Configure threads zlib shared no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on 0.9.7m and linked against FIPS-1.1.2 module) is built with the following options: ./Configure fips for FIPS module ./Configure fips zlib threads no-rc5 no-idea no-krb5 no-mdc2 --openssldir=/opt/openssl for FIPS Compatible OpenSSL FIPS Capable OpenSSL (based on 0.9.8n and linked against FIPS-1.2 module) is built with the following options: ./Configure fipscanisterbuild for FIPS module .
• • • Data Encryption Standard Extension (DESX) Rivest Cipher 2 (RC2) Rivest Cipher 4 (RC4) Message digest A message digest is a piece of data that can be used to verify that the contents of the message has not been altered during transit. When a message is sent over a network, the sender computes a message digest by performing a one-way hash function using a secret key known only to the sender and recipient.
• • Public-Key Cryptography Standard 8 (PKCS#8) – Stores private keys. Public-Key Cryptography Standard 12 (PKCS#12) – Stores keys and certificates in browsers. FIPS Federal Information Processing Standard (FIPS) 140-2 OpenSSL is now added to the OpenSSL product. For more information about FIPS 140-2, see the following web address: http://www.oss-institute.org/index.
ciphers, digests, certificates, public key encryption, and encoding. The libssl library contains all the functions used for managing secure connections between SSL-enabled clients and the corresponding SSL-enabled servers. OpenSSL A.00.09.07m and A.00.09.08n provides 32-bit and 64-bit libraries for static and shared versions of both the libraries. A number of symbolic links are created when OpenSSL A.00.09.07m and A.00.09.08n is installed on the system.
Table 1-2 OpenSSL A.00.09.07m PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 64-bit shared /opt/openssl/0.9.7/lib/ pa20_64/libssl.sl.0 • • • • • • /usr/lib/pa20_64/libssl.sl * /usr/lib/pa20_64/libssl.sl.0 /opt/openssl/lib/pa20_64/libssl.sl * /opt/openssl/lib/pa20_64/libssl.sl.0 /opt/openssl/0.9.7/lib/pa20_64/libssl.sl /opt/openssl/0.9.8/lib/pa20_64/libssl.sl.0 /opt/openssl/0.9.7/lib/ pa20_64/libcrypto.sl.0 • • • • • • /usr/lib/pa20_64/libcrypto.
Table 1-3 OpenSSL A.00.09.07m Intel® Itanium® libraries (continued) Library Library Name/Location Symbolic Link 64-bit static /opt/openssl/0.9.7/lib/ hpux64/libssl.0.9.7m.a • • • • /usr/lib/hpux64/libssl.a * /opt/openssl/lib/hpux64/libssl.a * /opt/openssl/0.9.7/lib/hpux64/libssl.a /opt/openssl/0.9.8/lib/hpux64/ libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ hpux64/libcrypto.0.9.7m.a • • • • /usr/lib/hpux64/libcrypto.a * /opt/openssl/lib/hpux64/libcrypto.a * /opt/openssl/0.9.7/lib/hpux64/libcrypto.
Table 1-4 OpenSSL A.00.09.08n PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 32-bit shared /opt/openssl/0.9.8/lib/ libssl.sl.1 • • • • • • /usr/lib/libssl.sl * /usr/lib/libssl.sl.1 /opt/openssl/lib/libssl.sl * /opt/openssl/lib/libssl.sl.1 /opt/openssl/0.9.8/lib/libssl.sl /opt/openssl/0.9.7/lib/libssl.sl.1 /opt/openssl/0.9.8/lib/ libcrypto.sl.1 • • • • • • /usr/lib/libcrypto.sl * /usr/lib/libcrypto.sl.1 /opt/openssl/lib/libcrypto.sl * /opt/openssl/lib/libcrypto.sl.
Table 1-4 OpenSSL A.00.09.08n PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 64-bit shared /opt/openssl/0.9.8/lib/ pa20_64/libssl.sl.1 • • • • • • /usr/lib/pa20_64/libssl.sl * /usr/lib/pa20_64/libssl.sl.1 /opt/openssl/lib/pa20_64/libssl.sl * /opt/openssl/lib/pa20_64/libssl.sl.1 /opt/openssl/0.9.8/lib/pa20_64/libssl.sl /opt/openssl/0.9.7/lib/pa20_64/libssl.sl.1 /opt/openssl/0.9.8/lib/ pa20_64/libcrypto.sl.1 • • • • • • /usr/lib/pa20_64/libcrypto.
Table 1-5 OpenSSL A.00.09.08n Intel Itanium libraries (continued) Library Library Name/Location 64-bit static /opt/openssl/0.9.8/lib/ hpux64/ • libssl.0.9.8n.a • • • /usr/lib/hpux64/libssl.a * /opt/openssl/lib/hpux64/libssl.a * /opt/openssl/0.9.8/lib/hpux64/libssl.a /opt/openssl/0.9.7/lib/hpux64/ libssl.0.9.8n.a /opt/openssl/0.9.8/lib/ hpux64/ • libcrypto.0.9.8n.a • • • /usr/lib/hpux64/libcrypto.a * /opt/openssl/lib/hpux64/libcrypto.a * /opt/openssl/0.9.8/lib/hpux64/libcrypto.a /opt/openssl/0.9.
If none of these random number generators are available on the system, OpenSSL returns an error while executing cryptographic functions. To prevent this situation, OpenSSL for HP-UX 11i v1 includes the /opt/openssl/prngd/prngd random number generator. The prngd server reads HP-UX commands from the prngd.conf file, computes random numbers based on certain parameters, and writes the computed random numbers to an HP-UX socket located in the /var/run/egd-pool directory.
Table 1-6 System requirements for installing OpenSSL A.00.09.07m, and A.00.09.08n Component Requirement Operating system • HP-UX 11i v1 • HP-UX 11i v2 • HP-UX 11i v3 Hardware requirement • HP 9000 systems • HP Integrity systems Disk space requirement 100 MB Software availability in native languages English only Patch requirements HP has tested the OpenSSL A.00.09.07m and A.00.09.08n software in test environments with the Support Plus media listed in Table 1-7.
# swinstall –s /tmp/OpenSSL*.depot fips_1_1_2 The swinstall command installs the OpenSSL software in the /opt/openssl directory. It places the sample codes in the /opt/openssl/src and /opt/openssl/fips/0.9.8/ src directories. To install the FIPS Capable OpenSSL product (FIPS 1.2 object module and 0.9.8n based FIPS Compatible OpenSSL) only, enter the following command: # swinstall -s /tmp/OpenSSL*.depot fips_1_2 The swinstall command installs the OpenSSL software in the /opt/openssl directory.
where: Specifies the size of the key. Specifies the file name where the key must be stored. To create an RSA public and private key pair, use the following command: $ openssl genrsa -out key.pem 1024 This command creates a 1024-bit key pair and stores it in a file called key.pem. The parameter is optional. The default key size is 512 bits.
To create a self-signed certificate, use the following command: $ openssl req -new -nodes -x509 -out cert.pem -keyout key.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost" OpenSSL resources This section provides a list of sources from which you can obtain the OpenSSL software, and pointers to obtain information about OpenSSL technology. Getting the OpenSSL software You can obtain OpenSSL A.00.09.07m and A.00.09.
NOTE: The openssl command-line tool is a 32–bit application. It uses the 32–bit static OpenSSL libraries. 3 4 There are several flavours of libraries available in OpenSSL A.00.09.07m and OpenSSL A.00.09.08n. What are they? How do I know when to use which library? Use the OpenSSL A.00.09.07m and OpenSSL A.00.09.08n libraries for 32-bit and 64-bit applications. Both the 32-bit and 64-bit versions of the libraries are provided. For a list of all the library files, see“OpenSSL libraries” (page 10).
OpenSSL A.00.09.07m and A.00.09.08n contain a precompiled version of the OpenSSL Open Source versions 0.9.7m and A.09.08j. Additionally, OpenSSL A.00.09.07m and A.00.09.08n contain the prngd random number generator and a self-signed host certificate. OpenSSL A.00.09.07m and A.00.09.08n are built to install and uninstall using the SD-UX utility, and is only for customers using the HP-UX operating system. HP offers full support for OpenSSL A.00.09.07m and A.00.09.08. The Internet Express OpenSSL 0.9.
Example 1-1 If you are running OpenSSL A.00.09.07m.e001 on HP-UX 11i v1 # what /usr/bin/openssl /usr/bin/openssl: $OpenSSL A.00.09.07m.e001, Zlib: v1.2.3 $ $OpenSSL A.00.09.07m.e001, Zlib: v1.2.3 $ $OpenSSL A.00.09.07m.e001, Zlib: v1.2.3 $ Example 1-2 If you are running OpenSSL A.00.09.08n.012 on HP-UX 11i v3 # what /usr/bin/openssl /usr/bin/openssl: $OpenSSL A.00.09.08n.012, Zlib: v1.2.3 $ $OpenSSL A.00.09.08n.012, Zlib: v1.2.3 $ $OpenSSL A.00.09.08n.012, Zlib: v1.2.
approach enables you to secure your client-server application without changing the source code, but limits you to the features offered by the Stunnel environment. These are the two distinct choices available to a user application environment that wants to SSL-encrypt its client-server communication. Both choices are valid. Direct use of the OpenSSL library clearly provides more options. 20 What is the FIPS relationship to the OpenSSL API? The FIPS object module is designed for use with the OpenSSL API.
Table 1-10 Cryptographic algorithms that can be used in FIPS mode and Standard OpenSSL mode (continued) Algorithm Type Algorithm Standard OpenSSL FIPS Usage HMAC HMAC-MD2 Supported Not supported • Module integrity • Code integrity • Message integrity HMAC-MD4 HMAC-MD5 HMAC-RMD160 HMAC-SHA HMAC-SHA1 Hashing Supported HMAC-SHA2 0.9.8g supported Supported MD2 Supported Not supported MD4 MD5 RMD160 SHA SHA1 SHA2 26 Supported 0.9.8g supported OpenSSL A.00.09.08n.010, A.00.09.08n.011, and A.
