OpenSSL A.00.09.08y.001, A.00.09.08y.002, and A.00.09.08y.
© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................4 1 OpenSSL A.00.09.08y.001, A.00.09.08y.002, and A.00.09.08y.003..............5 Announcement.........................................................................................................................5 Vulnerabilities fixed in OpenSSL A.00.09.08y version....................................................................6 OpenSSL A.00.09.07m and A.00.09.08y features....................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 OpenSSL A.00.09.08y.001, A.00.09.08y.002, and A.00.09.08y.003 This document contains the most recent product information for OpenSSL A.00.09.08y.001, A.00.09.08y.002, and A.00.09.08y.003 supported on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3, respectively. This document contains the following information: • OpenSSL Features • Installing OpenSSL • Using the OpenSSL command-line Tool • Frequently Asked Questions (FAQs) Announcement This version of OpenSSL is based on the open source OpenSSL 0.9.
./Configure threads zlib shared no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.07m and linked against FIPS-1.1.2 module) is built with the following options: ./Configure threads zlib shared no-rc5 no-idea no-krb5 no-mdc2 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.08y and linked against FIPS-1.2 module) is built with the following options: .
Ciphers A cipher algorithm is a mechanism used to encrypt or decrypt a message. OpenSSL A.00.09.07m and A.00.09.08y support the following ciphers: • Blowfish • Carlisle Adams and Stafford Tavares (CAST) • Advanced Encryption Standard (AES) • Data Encryption Standard (DES) CAUTION: DES has been cracked (data encoded by DES has been decoded by a third party). HP recommends that you use DES only when you are required to do so for compatibility reasons or because of legal restrictions.
Certificates A digital certificate is a file that uniquely identifies users and resources over a network. OpenSSL A.00.09.07m and A.00.09.08y support the following digital certificates: • X.509 • X.509 Version 3 • Certificate Revocation List (CRL) Encoding Before a message is sent over a network, the message is encoded such that the receiver can understand the message. OpenSSL A.00.09.07m and A.00.09.
• chil • cswift • gmp • nuron • sureware • ubsec OpenSSL components OpenSSL A.00.09.07m and A.00.09.08y contain the following components: • OpenSSL libraries • The openssl command-line tool • Strong Random Number Generator for HP-UX 11i v1 • Automatically generated self-signed host certificate The following sections discuss these components in detail. OpenSSL libraries OpenSSL A.00.09.07m and A.00.09.08y contain two libraries: libcrypto and libssl.
Table 2 OpenSSL A.00.09.07m PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.7/lib/ libssl.0.9.7m.a • /usr/lib/libssl.a * • /opt/openssl/lib/libssl.a * • /opt/openssl/0.9.7/lib/libssl.a • /opt/openssl/0.9.8/lib/libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ libcrypto.0.9.7m.a • /usr/lib/libcrypto.a * • /opt/openssl/lib/libcrypto.a * • /opt/openssl/0.9.7/lib/libcrypto.a • /opt/openssl/0.9.8/lib/libcrypto.0.9.7m.a 32-bit shared /opt/openssl/0.9.7/lib/ libssl.sl.
Table 2 OpenSSL A.00.09.07m PA-RISC libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/0.9.8/lib/pa20_64/ libcrypto.sl.0 NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.07m.
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.7/lib/ hpux32/libssl.0.9.7m.a • /usr/lib/hpux32/libssl.a * • /opt/openssl/lib/hpux32/libssl.a * • /opt/openssl/0.9.7/lib/hpux32/libssl.a • /opt/openssl/0.9.8/lib/hpux32/ libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ hpux32/libcrypto.0.9.7m.a • /usr/lib/hpux32/libcrypto.a * • /opt/openssl/lib/hpux32/libcrypto.a * • /opt/openssl/0.9.7/lib/hpux32/libcrypto.a • /opt/openssl/0.9.
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/lib/hpux64/libcrypto.a * • /opt/openssl/0.9.7/lib/hpux64/libcrypto.a • /opt/openssl/0.9.8/lib/hpux64/ libcrypto.0.9.7m.a 64-bit shared /opt/openssl/0.9.7/lib/ hpux64/libssl.so.0 • /usr/lib/hpux64/libssl.so * • /usr/lib/hpux64/libssl.so.0 • /opt/openssl/lib/hpux64/libssl.so * • /opt/openssl/lib/hpux64/libssl.so.0 • /opt/openssl/0.9.7/lib/hpux64/libssl.so • /opt/openssl/0.9.
Table 4 OpenSSL A.00.09.08y PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ libssl.0.9.8y.a • /usr/lib/libssl.a * • /opt/openssl/lib/libssl.a * • /opt/openssl/0.9.8/lib/libssl.a • /opt/openssl/0.9.7/lib/libssl.0.9.8y.a /opt/openssl/0.9.8/lib/ libcrypto.0.9.8y.a • /usr/lib/libcrypto.a * • /opt/openssl/lib/libcrypto.a * • /opt/openssl/0.9.8/lib/libcrypto.a • /opt/openssl/0.9.7/lib/libcrypto.0.9.8y.a 32-bit shared /opt/openssl/0.9.8/lib/ libssl.sl.
Table 4 OpenSSL A.00.09.08y PA-RISC libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/0.9.7/lib/pa20_64/ libcrypto.sl.1 NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.08y.
Table 5 OpenSSL A.00.09.08y Intel Itanium libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libssl.a * libssl.0.9.8y.a • /opt/openssl/lib/hpux32/libssl.a * • /opt/openssl/0.9.8/lib/hpux32/libssl.a • /opt/openssl/0.9.7/lib/hpux32/ libssl.0.9.8y.a /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libcrypto.a * libcrypto.0.9.8y.a • /opt/openssl/lib/hpux32/libcrypto.a * • /opt/openssl/0.9.8/lib/hpux32/libcrypto.a • /opt/openssl/0.9.
Table 5 OpenSSL A.00.09.08y Intel Itanium libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/lib/hpux64/libcrypto.a * • /opt/openssl/0.9.8/lib/hpux64/libcrypto.a • /opt/openssl/0.9.7/lib/hpux64/ libcrypto.0.9.8y.a 64-bit shared /opt/openssl/0.9.8/lib/ hpux64/ • /usr/lib/hpux64/libssl.so * libssl.so.1 • /usr/lib/hpux64/libssl.so.1 • /opt/openssl/lib/hpux64/libssl.so * • /opt/openssl/lib/hpux64/libssl.so.1 • /opt/openssl/0.9.8/lib/hpux64/libssl.so • /opt/openssl/0.9.
• Creating and viewing RSA, DSA, and DH public keys • Encrypting or decrypting a file using a public key or private key, respectively • Creating X.509 certificates, certificate requests, and Certificate Revocation Lists (CRL) • Managing the Certificate Authority (CA) Strong random number generator for HP-UX 11i v1 OpenSSL A.00.09.07m requires a strong random number generator to provide secure and non reproducible keys and certificates. OpenSSL A.00.09.
Known problems There are no known problems in OpenSSL A.00.09.08y. In OpenSSL A.00.09.07m, due to the nonperformance of MD5, SHA1 is used as the default Message-Digest Algorithm (md). Compatibility information and installation requirements This section lists the system and patch requirements for OpenSSL A.00.09.07m and A.00.09.08y. System requirements Table 6 specifies the minimum system requirements for installing OpenSSL A.00.09.07m, and A.00.09.08y. Table 6 System requirements for installing OpenSSL A.
1. 2. 3. Log in as root. Insert the software CD into the appropriate drive if you are installing from the Application Release CD. If you are downloading the software package from the Software Depot, download the depot and follow the instructions provided in the installation page for OpenSSL. Run the following command: $swinstall -s 4. 5. 6. 7. 8. 9. Enter the drive mount point in the Source Depot Path box and click OK. Change the Source Host Name if needed.
Table 9 The Openssl command-line options (continued) Option Name Description verify X.509 certificate verification x509 X.509 certificate data management For more information on openssl command-line options, see openssl(1). Using Openssl This section explains the use of the openssl command-line tool with examples. For more information, see the openssl(1) manpage.
Creating an RSA certificate request Following is the syntax to create a new certificate request: # openssl req -new -nodes -out -keyout -subj Where: specifies the file to which the certificate request is written. specifies the file to which the RSA public and private key pair for the certificate is written specifies the subject name of the certificate. For example: # openssl req -new -nodes -out cert.txt -keyout key.
• The Transport Layer Security (TLS) Internet Engineering Task Force (IETF) Working Groups at: http://www.ietf.org/html.charters/wg-dir.html#Security%20Area • OpenSSL APIs at: http://www.opensslbook.com/api/index.html OpenSSL A.00.09.08y.001, A.00.09.08y.002, and A.00.09.08y.003 Release Notes is available at the following locations: • The HTML and pdf versions are available at: The Business Support Center • A text version of the README.hp readme file in the /opt/openssl directory.
2 Frequently asked questions (FAQs) Following are questions frequently asked about OpenSSL. 2.1 What does OpenSSL do? Why do I need it? OpenSSL offers an advanced level of security using the SSL/TLS protocols. Client-server applications that send and receive data over a network are open to a range of vulnerabilities. They can use SSL/TLS to implement privacy (through encryption), tamper-proofing (through message digests) and non-repudiation (through certificates and digital signatures). 2.
2.9 2.10 2.11 I have already got the supported version A.00.09.07l on my HP-UX system, and I am quite happy with it. Why do I need to move to OpenSSL A.00.09.08y? This new version of OpenSSL contains several bug fixes, but most importantly, it has a few critical fixes that have been well publicized at the OpenSSL site. HP recommends that you upgrade to OpenSSL A.00.09.08y even if you are not affected by these defects.
2.15 2.16 2.17 You may have a conflict depending on the location of OpenSSL 0.9.7m and 0.9.8j on your system. HP recommends that you uninstall the previous OpenSSL version before installing OpenSSL A.00.09.08y. Will HP support recompiled versions of OpenSSL A.00.09.08y? HP does not support recompiled versions of OpenSSL A.00.09.08y. The source code is provided only for reference. Why are idea, rc5, and mdc2 algorithms not configured in OpenSSL A.00.09.
Example 4 When an old version of OpenSSL from Internet Express is installed on the system # what /usr/bin/openssl OpenSSL A.02.00-0.9.7c Example 5 If you are running OpenSSL A.00.09.08y.003 on HP-UX 11i v3 # what /usr/bin/openssl /usr/bin/openssl: $OpenSSL A.00.09.08y.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08y.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08y.003, Zlib: v1.2.3 $ Example 6 When OpenSSL A.00.09.07m.
The FIPS object module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. A version of the OpenSSL product that is suitable for reference by an application along with the FIPS object module is a FIPS compatible OpenSSL which links against FIPS Object Module 1.1.2 or FIPS Object Module 1.2.
3 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.