OpenSSL A.00.09.08q.001,A.00.09.08q.002, and A.00.09.08q.003 Release Notes (5900-1600, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software

OpenSSL A.00.09.08o.001,

A.00.09.08o.002, and A.00.09.08o.003

Release Notes

HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3

HP Part Number: 5900-1600

Published: March 2011

Summary of content (25 pages)

PAGE 1
OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.
PAGE 2
© Copyright 2010, 2011 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents 1 OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003.............4 Announcement.........................................................................................................................4 OpenSSL A.00.09.07m and A.00.09.08o features........................................................................5 Ciphers..............................................................................................................................5 Message digest.......................
PAGE 4
1 OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003 This document contains the most recent product information for OpenSSL A.00.09.08o.001, A.00.09.08o.002, and A.00.09.08o.003 supported on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3, respectively. This document contains the following information: • OpenSSL Features • Installing OpenSSL • Using the OpenSSL command-line Tool • Frequently Asked Questions (FAQs) Announcement This version of OpenSSL is based on the open source OpenSSL 0.9.
PAGE 5
OpenSSL A.00.09.08o has the following options: ./Configure threads zlib shared no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.07m and linked against FIPS-1.1.2 module) is built with the following options: ./Configure threads zlib shared no-rc5 no-idea no-krb5 no-mdc2 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.08o and linked against FIPS-1.2 module) is built with the following options: .
PAGE 6
• Data Encryption Standard (DES) CAUTION: DES has been cracked (data encoded by DES has been decoded by a third party). HP recommends that you use DES only when you are required to do so for compatibility reasons or because of legal restrictions.
PAGE 7
Encoding Before a message is sent over a network, the message is encoded such that the receiver can understand the message. OpenSSL A.00.09.07m and A.00.09.08o support the following file formats for encoding keys, certificates, and digitally signed files: • ASN.1 — Abstract Syntax Notation One. • Distinguished Encoding Rules (DER) – Stores ASN.1 structures containing keys and certificates. • Privacy Enhanced Mail (PEM) – Stores keys, certificates, and encrypted files.
PAGE 8
OpenSSL components OpenSSL A.00.09.07m and A.00.09.08o contain the following components: • OpenSSL libraries • The openssl command-line tool • Strong Random Number Generator for HP-UX 11i V1 • Automatically generated self-signed host certificate The following sections discuss these components in detail. OpenSSL libraries OpenSSL A.00.09.07m and A.00.09.08o contain two libraries: libcrypto and libssl.
PAGE 9
Table 2 OpenSSL A.00.09.07m PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 64-bit static /opt/openssl/0.9.7/lib/ pa20_64/libssl.0.9.7m.a • /usr/lib/pa20_64/libssl.a * • /opt/openssl/lib/pa20_64/libssl.a * • /opt/openssl/0.9.7/lib/pa20_64/libssl.a • /opt/openssl/0.9.8/lib/pa20_64/ libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ pa20_64/libcrypto.0.9.7m.a • /usr/lib/pa20_64/libcrypto.a * • /opt/openssl/lib/pa20_64/libcrypto.a * • /opt/openssl/0.9.7/lib/pa20_64/libcrypto.
PAGE 10
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link 32-bit shared /opt/openssl/0.9.7 /hpux32/libssl.so.0 • /usr/lib/hpux32/libssl.so * • /usr/lib/hpux32/libssl.so.0 • /opt/openssl/lib/hpux32/libssl.so * • /opt/openssl/lib/hpux32/libssl.so.0 • /opt/openssl/0.9.7/lib/hpux32/libssl.so • /opt/openssl/0.9.8/lib/hpux32/libssl.so.0 /opt/openssl/0.9.7/ hpux32/libcrypto.so.0 • /usr/lib/hpux32/libcrypto.so * • /usr/lib/hpux32/libcrypto.so.
PAGE 11
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link 64-bit shared /opt/openssl/0.9.7/lib/ hpux64/libssl.so.0 • /usr/lib/hpux64/libssl.so * • /usr/lib/hpux64/libssl.so.0 • /opt/openssl/lib/hpux64/libssl.so * • /opt/openssl/lib/hpux64/libssl.so.0 • /opt/openssl/0.9.7/lib/hpux64/libssl.so • /opt/openssl/0.9.8/lib/hpux64/libssl.so.0 /opt/openssl/0.9.7/lib/ hpux64/libcrypto.so.0 • /usr/lib/hpux64/libcrypto.so * • /usr/lib/hpux64/libcrypto.so.
PAGE 12
Table 4 OpenSSL A.00.09.08o PA-RISC libraries (continued) Library Library Name/Location Symbolic Link 32-bit shared /opt/openssl/0.9.8/lib/ libssl.sl.1 • /usr/lib/libssl.sl * • /usr/lib/libssl.sl.1 • /opt/openssl/lib/libssl.sl * • /opt/openssl/lib/libssl.sl.1 • /opt/openssl/0.9.8/lib/libssl.sl • /opt/openssl/0.9.7/lib/libssl.sl.1 /opt/openssl/0.9.8/lib/ libcrypto.sl.1 • /usr/lib/libcrypto.sl * • /usr/lib/libcrypto.sl.1 • /opt/openssl/lib/libcrypto.sl * • /opt/openssl/lib/libcrypto.sl.
PAGE 13
NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.08o. Table 5 OpenSSL A.00.09.08o Intel Itanium libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libssl.a * libssl.0.9.8o.a • /opt/openssl/lib/hpux32/libssl.a * • /opt/openssl/0.9.8/lib/hpux32/libssl.a • /opt/openssl/0.9.7/lib/hpux32/ libssl.0.9.8o.a /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libcrypto.a * libcrypto.0.9.8o.
PAGE 14
Table 5 OpenSSL A.00.09.08o Intel Itanium libraries (continued) Library Library Name/Location Symbolic Link 64-bit static /opt/openssl/0.9.8/lib/ hpux64/ • /usr/lib/hpux64/libssl.a * libssl.0.9.8o.a • /opt/openssl/lib/hpux64/libssl.a * • /opt/openssl/0.9.8/lib/hpux64/libssl.a • /opt/openssl/0.9.7/lib/hpux64/ libssl.0.9.8o.a /opt/openssl/0.9.8/lib/ hpux64/ • /usr/lib/hpux64/libcrypto.a * libcrypto.0.9.8o.a • /opt/openssl/lib/hpux64/libcrypto.a * • /opt/openssl/0.9.8/lib/hpux64/libcrypto.
PAGE 15
The Openssl command-line tool The openssl command-line tool is an interactive tool that enables you to execute cryptographic functions. It supports the following features: • Creating and viewing secret keys • Encrypting or decrypting files using secret-key ciphers • Calculating message digests for files • Creating and viewing RSA, DSA, and DH public keys • Encrypting or decrypting a file using a public key or private key, respectively • Creating X.
PAGE 16
Defects fixed in OpenSSL version A.00.09.07m There are several clean-up related changes, some stringent error checking, and general bug fixes between OpenSSL Open Source versions 0.9.7l and 0.9.7m. For more information on the fixes, see The OpenSSL Changelog. Defects fixed in OpenSSL version A.00.09.08o This version includes several changes and fixes. For more information on the fixes, see The OpenSSL Changelog. Known problems There are no known problems in OpenSSL A.00.09.08o. In OpenSSL A.00.09.
PAGE 17
NOTE: OpenSSL has been tested with the above QPK bundle. You can also choose to use the latest QPK bundle as these bundles are cumulative in nature. HP recommends that you use OpenSSL A.00.09.07m and A.00.09.08o with the libc patch listed in Table 8. Table 8 Recommended libc patch bundles Operating System Recommended libc Patch Bundle HP-UX 11i V1 PHCO_28427 Installing OpenSSL To install OpenSSL, complete the following steps: 1. 2. 3. Log in as root.
PAGE 18
Table 9 The Openssl command-line options Option Name Description ca CA management crl CRL management dgst Message digest calculation dsa DSA data management enc Encoding with ciphers gendsa Generation of DSA parameters genrsa Generation of RSA parameters req X.509 Certificate Signing Request (CSR) management rsa RSA data management verify X.509 certificate verification x509 X.509 certificate data management For more information on openssl command-line options, refer to openssl(1).
PAGE 19
This command creates a 3DES-encrypted 1024-bit key pair stored in the file key.txt. The encryption is done using the pass phrase supplied by the user. Viewing an RSA key pair Following is the syntax to view an RSA key pair: # openssl rsa -in -noout -text For example: # openssl genrsa -des3 -out key.pem 1024. This command displays the modulus, exponent, and prime key values of the key pair stored in the key.pem file. If the key pair stored in key.
PAGE 20
TIP: The most recent version of OpenSSL is available at: http://www.software.hp.com Learning about OpenSSL technology A large volume of information exists on the Internet about OpenSSL technology. HP recommends that you learn more about OpenSSL by reading O'Reilly's book Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra. You can order this book from http://www.oreilly.
PAGE 21
OpenSSL. The /opt/openssl/switchversion.sh script switches between these two versions. To change the version of OpenSSL, execute the script as follows: # /opt/openssl/switchversion.sh 5 You can also choose to switch the openssl.cnf file based on the version of OpenSSL. However this is not necessary. How does the performance of OpenSSL A.00.09.08o compare to the Open Source version 0.9.7m or 0.9.8g respectively? The two products have the same base source code.
PAGE 22
• OpenSSL A.00.09.07d (based on OpenSSL Open Source version 0.9.7d) • OpenSSL A.00.09.07e (based on OpenSSL Open Source version 0.9.7e) • OpenSSL A.00.09.07i (based on OpenSSL Open Source version 0.9.7i) • OpenSSL A.00.09.07l (based on OpenSSL Open Source version 0.9.7l) A few patch updates are available for these releases of OpenSSL. A patch release typically has the same base version number (for example, A.00.09.07m) with a patch number appended to it (for example, A.00.09.07m.009).
PAGE 23
Example 1 You have the Internet Express version installed on your machine. # swlist | grep -i openssl ixOpenSSL A.02.00-0.9.7c Secure Network Communications Protocol # what openssl OpenSSL A.02.00-0.9.7c Example 2 You have the OpenSSL A.00.09.07i version installed on your machine. # swlist | grep -i openssl OpenSSL A.00.09.07i.005 Secure Network Communications Protocol # what openssl OpenSSL A.00.09.07i.
PAGE 24
Consider a client-server application sending and receiving unencrypted data over the network. You now want to achieve a higher level of security for your application. The following methods describe how to use OpenSSL technology to encrypt client/server communication: • You can modify client and server code using OpenSSL functions. This method gives you the highest degree of flexibility and control regarding the features and how you implement them.
PAGE 25
Table 10 Cryptographic Algorithms that Can be Used in FIPS mode and Standard OpenSSL Mode (continued) Algorithm Type Algorithm Standard OpenSSL FIPS Usage Symmetric keys AES Supported Supported Encryption/ Decryption HMAC Blowfish Not supported CAST Not supported DES Not supported DES3 Supported DESX Not supported RC2 Not supported RC4 Not supported HMAC-MD2 Supported Not supported • Module integrity HMAC-MD4 • Code integrity HMAC-MD5 • Message integrity HMAC-RMD160 HMAC-SHA