OpenSSL A.00.09.08za.001, A.00.09.08za.002, and A.00.09.08za.003 Release Notes (762808-002, June 2014)

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software

OpenSSL A.00.09.08za.001,

A.00.09.08za.002, and

A.00.09.08za.003 Release Notes

HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3

HP Part Number: 762808-002

Published: June 2014

Edition: 2

Summary of content (29 pages)

PAGE 1
OpenSSL A.00.09.08za.001, A.00.09.08za.002, and A.00.09.08za.
PAGE 2
© Copyright 2010, 2014 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents HP secure development lifecycle......................................................................4 1 OpenSSL A.00.09.08za.001, A.00.09.08za.002, and A.00.09.08za.003........5 Announcement.........................................................................................................................5 Vulnerabilities fixed in OpenSSL A.00.09.08za version..................................................................6 OpenSSL A.00.09.07m and A.00.09.08za features.......................
PAGE 4
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
PAGE 5
1 OpenSSL A.00.09.08za.001, A.00.09.08za.002, and A.00.09.08za.003 This document contains the most recent product information for OpenSSL A.00.09.08za.001, A.00.09.08za.002, and A.00.09.08za.003 supported on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3, respectively.
PAGE 6
./Configure threads zlib shared no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.07m and linked against FIPS-1.1.2 module) is built with the following options: ./Configure threads zlib shared no-rc5 no-idea no-krb5 no-mdc2 --openssldir=/opt/openssl hpux-cc FIPS Capable OpenSSL (based on OpenSSL A.00.09.08za and linked against FIPS-1.2 module) is built with the following options: .
PAGE 7
Ciphers A cipher algorithm is a mechanism used to encrypt or decrypt a message. OpenSSL A.00.09.07m and A.00.09.08za support the following ciphers: • Blowfish • Carlisle Adams and Stafford Tavares (CAST) • Advanced Encryption Standard (AES) • Data Encryption Standard (DES) CAUTION: DES has been cracked (data encoded by DES has been decoded by a third party). HP recommends that you use DES only when you are required to do so for compatibility reasons or because of legal restrictions.
PAGE 8
Certificates A digital certificate is a file that uniquely identifies users and resources over a network. OpenSSL A.00.09.07m and A.00.09.08za support the following digital certificates: • X.509 • X.509 Version 3 • Certificate Revocation List (CRL) Encoding Before a message is sent over a network, the message is encoded such that the receiver can understand the message. OpenSSL A.00.09.07m and A.00.09.
PAGE 9
• chil • cswift • gmp • nuron • sureware • ubsec OpenSSL components OpenSSL A.00.09.07m and A.00.09.08za contain the following components: • OpenSSL libraries • The openssl command-line tool • Strong Random Number Generator for HP-UX 11i v1 • Automatically generated self-signed host certificate The following sections discuss these components in detail. OpenSSL libraries OpenSSL A.00.09.07m and A.00.09.08za contain two libraries: libcrypto and libssl.
PAGE 10
Table 2 OpenSSL A.00.09.07m PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.7/lib/ libssl.0.9.7m.a • /usr/lib/libssl.a * • /opt/openssl/lib/libssl.a * • /opt/openssl/0.9.7/lib/libssl.a • /opt/openssl/0.9.8/lib/libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ libcrypto.0.9.7m.a • /usr/lib/libcrypto.a * • /opt/openssl/lib/libcrypto.a * • /opt/openssl/0.9.7/lib/libcrypto.a • /opt/openssl/0.9.8/lib/libcrypto.0.9.7m.a 32-bit shared /opt/openssl/0.9.7/lib/ libssl.sl.
PAGE 11
Table 2 OpenSSL A.00.09.07m PA-RISC libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/0.9.8/lib/pa20_64/ libcrypto.sl.0 NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.07m.
PAGE 12
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.7/lib/ hpux32/libssl.0.9.7m.a • /usr/lib/hpux32/libssl.a * • /opt/openssl/lib/hpux32/libssl.a * • /opt/openssl/0.9.7/lib/hpux32/libssl.a • /opt/openssl/0.9.8/lib/hpux32/ libssl.0.9.7m.a /opt/openssl/0.9.7/lib/ hpux32/libcrypto.0.9.7m.a • /usr/lib/hpux32/libcrypto.a * • /opt/openssl/lib/hpux32/libcrypto.a * • /opt/openssl/0.9.7/lib/hpux32/libcrypto.a • /opt/openssl/0.9.
PAGE 13
Table 3 OpenSSL A.00.09.07m Intel Itanium®® libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/lib/hpux64/libcrypto.a * • /opt/openssl/0.9.7/lib/hpux64/libcrypto.a • /opt/openssl/0.9.8/lib/hpux64/ libcrypto.0.9.7m.a 64-bit shared /opt/openssl/0.9.7/lib/ hpux64/libssl.so.0 • /usr/lib/hpux64/libssl.so * • /usr/lib/hpux64/libssl.so.0 • /opt/openssl/lib/hpux64/libssl.so * • /opt/openssl/lib/hpux64/libssl.so.0 • /opt/openssl/0.9.7/lib/hpux64/libssl.so • /opt/openssl/0.9.
PAGE 14
Table 4 OpenSSL A.00.09.08za PA-RISC libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ libssl.0.9.8za.a • /usr/lib/libssl.a * • /opt/openssl/lib/libssl.a * • /opt/openssl/0.9.8/lib/libssl.a • /opt/openssl/0.9.7/lib/libssl.0.9.8za.a /opt/openssl/0.9.8/lib/ libcrypto.0.9.8za.a • /usr/lib/libcrypto.a * • /opt/openssl/lib/libcrypto.a * • /opt/openssl/0.9.8/lib/libcrypto.a • /opt/openssl/0.9.7/lib/libcrypto.0.9.8za.a 32-bit shared /opt/openssl/0.9.8/lib/ libssl.
PAGE 15
Table 4 OpenSSL A.00.09.08za PA-RISC libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/0.9.7/lib/pa20_64/ libcrypto.sl.1 NOTE: Symbolic links marked * are applicable only if the default version is OpenSSL A.00.09.08za.
PAGE 16
Table 5 OpenSSL A.00.09.08za Intel Itanium libraries Library Library Name/Location Symbolic Link 32-bit static /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libssl.a * libssl.0.9.8za.a • /opt/openssl/lib/hpux32/libssl.a * • /opt/openssl/0.9.8/lib/hpux32/libssl.a • /opt/openssl/0.9.7/lib/hpux32/ libssl.0.9.8za.a /opt/openssl/0.9.8/lib/ hpux32/ • /usr/lib/hpux32/libcrypto.a * libcrypto.0.9.8za.a • /opt/openssl/lib/hpux32/libcrypto.a * • /opt/openssl/0.9.8/lib/hpux32/libcrypto.a • /opt/openssl/0.9.
PAGE 17
Table 5 OpenSSL A.00.09.08za Intel Itanium libraries (continued) Library Library Name/Location Symbolic Link • /opt/openssl/lib/hpux64/libcrypto.a * • /opt/openssl/0.9.8/lib/hpux64/libcrypto.a • /opt/openssl/0.9.7/lib/hpux64/ libcrypto.0.9.8za.a 64-bit shared /opt/openssl/0.9.8/lib/ hpux64/ • /usr/lib/hpux64/libssl.so * libssl.so.1 • /usr/lib/hpux64/libssl.so.1 • /opt/openssl/lib/hpux64/libssl.so * • /opt/openssl/lib/hpux64/libssl.so.1 • /opt/openssl/0.9.8/lib/hpux64/libssl.so • /opt/openssl/0.9.
PAGE 18
• Creating and viewing RSA, DSA, and DH public keys • Encrypting or decrypting a file using a public key or private key, respectively • Creating X.509 certificates, certificate requests, and Certificate Revocation Lists (CRL) • Managing the Certificate Authority (CA) Strong random number generator for HP-UX 11i v1 OpenSSL A.00.09.07m requires a strong random number generator to provide secure and non reproducible keys and certificates. OpenSSL A.00.09.
PAGE 19
Defects fixed in OpenSSL version A.00.09.08za This version includes several changes and fixes. For more information on the fixes, see The OpenSSL Changelog and OpenSSL 0.9.8 Branch Release Notes at https://www.openssl.org/news/ openssl-0.9.8-notes.html. Known problems There are no known problems in OpenSSL A.00.09.08za. In OpenSSL A.00.09.07m, due to the nonperformance of MD5, SHA1 is used as the default Message-Digest Algorithm (md).
PAGE 20
Table 8 Recommended libc patch bundles Operating System Recommended libc Patch Bundle HP-UX 11i v1 PHCO_28427 Installing OpenSSL To install OpenSSL, complete the following steps: 1. 2. 3. Log in as root. Insert the software CD into the appropriate drive if you are installing from the Application Release CD. If you are downloading the software package from the Software Depot, download the depot and follow the instructions provided in the installation page for OpenSSL.
PAGE 21
Table 9 The Openssl command-line options (continued) Option Name Description enc Encoding with ciphers gendsa Generation of DSA parameters genrsa Generation of RSA parameters req X.509 Certificate Signing Request (CSR) management rsa RSA data management verify X.509 certificate verification x509 X.509 certificate data management For more information on openssl command-line options, see openssl(1). Using Openssl This section explains the use of the openssl command-line tool with examples.
PAGE 22
# openssl rsa -in -noout -text For example: # openssl genrsa -des3 -out key.pem 1024. This command displays the modulus, exponent, and prime key values of the key pair stored in the key.pem file. If the key pair stored in key.pem is encrypted, then this commands prompts the user for the pass phrase.
PAGE 23
You can also learn about the OpenSSL technology at the following links: • OpenSSL Website at: http://www.openssl.org/ • OpenSSL FAQ at: http://www.openssl.org/support/faq.html • OpenSSL mailing list at: http://marc.theaimsgroup.com/?l=openssl-users • The Transport Layer Security (TLS) Internet Engineering Task Force (IETF) Working Groups at: http://www.ietf.org/html.charters/wg-dir.html#Security%20Area • OpenSSL APIs at: http://www.opensslbook.com/api/index.html OpenSSL A.00.09.08za.001, A.00.09.
PAGE 24
2 Frequently asked questions (FAQs) Following are questions frequently asked about OpenSSL. 2.1 What does OpenSSL do? Why do I need it? OpenSSL offers an advanced level of security using the SSL/TLS protocols. Client-server applications that send and receive data over a network are open to a range of vulnerabilities. They can use SSL/TLS to implement privacy (through encryption), tamper-proofing (through message digests) and non-repudiation (through certificates and digital signatures). 2.
PAGE 25
2.9 2.10 2.11 I have already got the supported version A.00.09.07l on my HP-UX system, and I am quite happy with it. Why do I need to move to OpenSSL A.00.09.08za? This new version of OpenSSL contains several bug fixes, but most importantly, it has a few critical fixes that have been well publicized at the OpenSSL site. HP recommends that you upgrade to OpenSSL A.00.09.08za even if you are not affected by these defects.
PAGE 26
2.15 2.16 2.17 A.00.09.08za. What must I do? Do I have to remove the preexisting OpenSSL product from my system? You may have a conflict depending on the location of OpenSSL 0.9.7m and 0.9.8j on your system. HP recommends that you uninstall the previous OpenSSL version before installing OpenSSL A.00.09.08za. Will HP support recompiled versions of OpenSSL A.00.09.08za? HP does not support recompiled versions of OpenSSL A.00.09.08za. The source code is provided only for reference.
PAGE 27
Example 4 When an old version of OpenSSL from Internet Express is installed on the system # what /usr/bin/openssl OpenSSL A.02.00-0.9.7c Example 5 If you are running OpenSSL A.00.09.08za.003 on HP-UX 11i v3 # what /usr/bin/openssl /usr/bin/openssl: $OpenSSL A.00.09.08za.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08za.003, Zlib: v1.2.3 $ $OpenSSL A.00.09.08za.003, Zlib: v1.2.3 $ Example 6 When OpenSSL A.00.09.07m.
PAGE 28
The FIPS object module is the special monolithic object module built from the special source distribution identified in the Security Policy. It is not the same as the OpenSSL product or any specific official OpenSSL distribution release. A version of the OpenSSL product that is suitable for reference by an application along with the FIPS object module is a FIPS compatible OpenSSL which links against FIPS Object Module 1.1.2 or FIPS Object Module 1.2.
PAGE 29
3 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.