OpenVMS
Notes: SSL / TLS / OpenSSLOpenVMS
Notes: SSL / TLS / OpenSSL
(OpenVMS is not UNIX)
As HAL-9000 once said: "This sort of thing has cropped up before, and it has always been due to human error".I am not sure if the programmer "thought long meant 64-bit because he was on a native 64-bit architecture" or "was unaware of the fact that long long is required to declare a 64-bit variable". This is why the IETF changed the type of that variable to uint64_t (unsigned integer 64-bit) which is now the source of much frustration as new programmers learn the c-language.
Trusted Third Parties
On an OpenVMS system you could find SSL in one, or more, locations depending upon your setup:
Legend: <sr> = system response <ur> = user response <enter> = hit the enter key <ctrl-c> = hit "control c" <space> = hit the space bar <tab> = hit the tab key ------------------------------------------------------------------------- Procedure for TCPware: <sr> $ ! my prompt <ur> telnet www.bellics.net 80<enter> ! telnet to server on port 80 <sr> %TCPWARE_TELNET-I-TRYING, trying bellics.com,http (207.35.137.66,80) ... %TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^\" <ur> HEAD / HTTP/1.0<enter> ! request HEAD of default document using HTTP/1.0 <enter> ! blank line ends the HTTP header (signals server: start) <sr> HTTP/1.1 200 OK ! server answers with "I can do HTTP/1.1" and "success" Date: Fri, 22 Jun 2012 23:02:15 GMT ! server current date + time Server: Apache/2.0.63 (OpenVMS) mod_ssl/2.0.63 OpenSSL/0.9.8h ! "server type" and "feature list" Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT ! requested page was modified at this date/time ETag: "c357e-3dc-dd296fc0" ! optional line to support caching Accept-Ranges: bytes ! server can accept bytes Connection: close ! connection will close because we requested HTTP/1.0 Content-Type: text/html ! requested page is in HTML format ------------------------------------------------------------------------- Procedure for MultiNet: <sr> $ ! <ur> telnet www.bellics.net /port=80<enter> ! <sr> bla...
<sr> $
<ur> product show product ssl
<sr>
------------------------------------ ----------- ---------
PRODUCT KIT TYPE STATE
------------------------------------ ----------- ---------
HP AXPVMS SSL V1.4-471 Full LP Installed
------------------------------------ ----------- ---------
$sys$sysdevice:[certificates]
$ define/system vms_cert_dir sys$sysdevice:[certificates]
"Because this program has a lot of options and also because some of the techniques used are rather old,
the C source of s_client is rather hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler"
| hold down the Windows-key while you hit "R" | (the RUN dialog will appear) |
| type: cmd | (cmd32.exe will appear) |
| type: c: | move to c drive |
| type: cd / | move to root |
| type: cd openss* | |
| type: cd bin | openssl.exe lives here |
| type: openssl |
The OpenSSL CLI (command line interpreter) exists for the following reasons:
Apps and Tools
Like most security software, OpenSSL seems deliberately unfriendly so does not include verbose help. You must read the official CLI docs or type something illegal.
OpenVMS caveats: 1) DCL (Digital Command Language) is the default CLI (command Line Interpreter) for OpenVMS 2) in DCL, you must quote upper-case or mixed-case parameters like -CApath , -CAfile , -WWW 3) in DCL, comments begin with an exclamation (!) 4) in DCL, you continue a command line by ending it with a dash (-) -------------------------------------------------------- <sr> $ ! my DCL prompt <ur> openssl ! start the openssl CLI application <sr> OpenSSL> ! application prompt <ur> version ! display version (add -a for all) <sr> OpenSSL 0.9.8y 5 Feb 2013 ! SSL for OpenVMS V1.4 Mar 7 2013. ! OpenSSL> ! <ur> help ! request help (an illegal command) <sr> openssl:Error: 'help' is an invalid command. ! ...major topics and sub-topics are displayed... ! read this stuff OpenSSL> ! application prompt <ur> s_client -help ! request s_client specific help <ur> unknown option -help ! usage: s_client args ! ...s_client arguments are displayed... ! OpenSSL> ! <ur> exit ! exit to DCL <sr> $ ! my DCL prompt
<ur> openssl list-standard-commands !
<sr> { displays available commands (like s_client) } ! read this
$ !
<ur> openssl list-message-digest-commands !
<sr> { displays available digests } ! read this
$ !
<ur> openssl list-cipher-commands !
<sr> { display available ciphers } ! read this
$ !
<ur> openssl no-rsa ! is 'rsa' available?
<sr> rsa ! 'rsa' is available
$ !
<ur> openssl no-yada ! is 'yada' available?
<sr> no-yada ! 'yada' is not available
1) This content of this section is more of an academic nature 2) Click skip this section if you are in a hurry to solve a connectivity problem
3) The following examples manipulate files rather than data streams but you will get the general idea 4) Anything typed into the OpenSSL CLI can also be done from the OpenSSL C-API
exercise-01 (encrypt with base64)
===========
<sr> $ ! my DCL prompt
<ur> create hack1a.txt<enter> ! use DCL to create a new message file
These are the voyages of the starship Enterprise<ctrl-z> ! type this phrase; ctrl-z to exit
<sr> exit
$
<ur> openssl enc -base64 -in hack1a.txt ! encrypt using base64 (out to screen)
<sr> VGhlc2UgYXJlIHRoZSB2b3lhZ2VzIG9mIHRoZSBzdGFyc2hpcCBFbnRlcnByaXNl
Cg==
$
<ur> openssl enc -base64 -in hack1a.txt -out hack1b.txt ! repeat command but output to a file
<sr> $ ! no news is good news :-)
<ur> openssl enc -base64 -d -in hack1b.txt ! now decrypt the file
<sr> These are the voyages of the starship Enterprise ! success...
$
Notes:
1) As Philippe Camacho has pointed out, while "base64" is listed as a cipher, it is not a form of
secret encryption since it does not support the use of a secret key. But he should have mentioned
that it proves this part of the CLI is working properly.
2) type "openssl list-cipher-commands" to see a list of ciphers offered by your installed product.
The list does include "base64"
3) One of the ciphers is "des3" which we will use in the next exercise
4) Newer versions of OpenSSL also include "base64" as a command to use in place of "enc"
exercise-02 (encrypt with des3) =========== <sr> $ ! my DCL prompt <ur> create hack2a.txt<enter> ! create a new file To boldly go where no man has gone before<ctrl-z> ! type this phrase; ctrl-z to exit <sr> exit $ <ur> openssl enc -des3 -in hack2a.txt -out hack2b.bin ! encrypt file using des3 (output to file) <sr> enter des-ede3-cbc encryption password: ! system is asking for a pass phrase <ur> passwd123<enter> ! you will be typing this blind (no echo) <sr> Verifying - enter des-ede3-cbc encryption password: ! <ur> passwd123<enter> ! you will be typing this blind (no echo) <sr> $ ! no news is good news :-) <ur> dump hack2b.bin ! more hacking <sr> ...a binary data dump is displayed in ASCII... $ <ur> openssl enc -des3 -d -in hack2b.bin ! decrypt the message file (out to screen) <sr> enter des-ede3-cbc decryption password: ! <ur> passwd123<enter> ! you will be typing this blind (no echo) <sr> To boldly go where no man has gone before ! yay! $ <ur> openssl enc -des3 -d -in hack2b.bin -k passwd123 ! decrypt without prompting <sr> To boldly go where no man has gone before ! $ <ur> openssl enc -des3 -d -in hack2b.bin -k "passwd123" ! double quotes work as well <sr> To boldly go where no man has gone before $ <ur> create hack2c.txt<enter> ! create a third file passwd123<ctrl-z> ! enter the pass phrase into the file <sr> exit $ <ur> openssl enc -des3 -d -in hack2b.bin -pass file:hack2c.txt ! decrypt without prompting <sr> To boldly go where no man has gone before $ <ur> openssl enc -des3 -d -in hack2b.bin -pass pass:passwd123 ! decrypt without prompting <sr> To boldly go where no man has gone before $ Notes: 1) the "encryption password" is really a "pass phrase" used to both encrypt and decrypt 2) while only hitting the <enter> key during encrypt appears to work (something is written to the out file), typing the same thing during decrypt fails to produce any action whatsoever 3) be very careful when you enter the pass phrase because some hidden characters (like <tab> and <space>) are processed as-is; for example, these are all legal but different inputs 1: passwd123<space> 2: passwd123<space><space> 3: <space>passwd123<space> 4: <tab>passwd123<space> 4) if you enter any double-quote characters at the interactive passphrase prompt they will be used to encrypt! But it will be impossible to decrypt using the -k option which first strips quotes before processing (yikes)
*** And Now For a Little Theory *** RSA Notes: 1) RSA encryption/decryption is asymmetric and so requires two keys (one public, one private) 2) RSA keys are based upon upon the product of two carefully chosen prime numbers 3) https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA Data: d = private key n = public key e = 65537 (constant with RSA) c = m^e mod n (formula for cipher text)
m = c^d mod n (formula for message text)
exercise-03 (create a new 32-bit key; too small for a certificate but okay for this demo) =========== <sr> $ <ur> openssl genrsa -out hack3a.key 32 ! create a small 32-bit key <sr> Generating RSA private key, 32 bit long modulus .+++++++++++++++++++++++++++ .+++++++++++++++++++++++++++ e is 65537 (0x10001) $ <ur> openssl rsa -in hack3a.key -text -noout ! take a peek Private-Key: (32 bit) modulus: 4057358269 (0xf1d65fbd) publicExponent: 65537 (0x10001) privateExponent: 1322158157 (0x4ece884d) prime1: 65123 (0xfe63) prime2: 62303 (0xf35f) exponent1: 51313 (0xc871) exponent2: 47415 (0xb937) coefficient: 60666 (0xecfa) $ Notes: 65123 x 62303 = 4057358269 ! the product of two primes
exercise-04 (create a new key placing it in a file) =========== <sr> $ ! my DCL prompt <ur> openssl genrsa -out hack4a.key 512 ! 512 bits just for this demo <sr> Generating RSA private key, 512 bit long modulus ......++++++++++++ .....++++++++++++ e is 65537 (0x10001) $ <ur> type hack4a.key ! view the file <sr> -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAKIwjuJiJJalNN6uQYW+JAn26uipqT8/VvDNIGhqJDxrI2wMj5sN cWn5MmQsZFdl/pxioQvlsdFb8Idk1ZsLc9kCAwEAAQJAVVzTRyk6cqM/AVibmcWq eCgiGRR6xJQUsSZ1QR9kNPukKeW7wOw/rhJgbO+xZXgzJ6zg06+nNg4UOCsUOUyg kQIhAMv1pMCsvNHGjm/IfI/8Z+6FP5kFJVrEWrGApYEgfjw9AiEAy5KQhuH3DYm1 H3W9AhZb0VjyFpsjn0ZDCdM5GpnKg80CIAosbZRiyWRZWB+BS51PBMwj/2EdnZhi dPenqBnByiotAiBbcnt6HAffDP1QJJPDXEfiwxH9FbPq2KVExJ3iVTOkAQIhAMvF pY+dUiDSWk6sC1MX+fASe/Eu5oA9CV0q7BLNt/VQ -----END RSA PRIVATE KEY----- $ <ur> openssl rsa -in hack4a.key -text -noout ! analyze the key file <sr> Private-Key: (512 bit) modulus: 00:a2:30:8e:e2:62:24:96:a5:34:de:ae:41:85:be: 24:09:f6:ea:e8:a9:a9:3f:3f:56:f0:cd:20:68:6a: 24:3c:6b:23:6c:0c:8f:9b:0d:71:69:f9:32:64:2c: 64:57:65:fe:9c:62:a1:0b:e5:b1:d1:5b:f0:87:64: d5:9b:0b:73:d9 publicExponent: 65537 (0x10001) privateExponent: 55:5c:d3:47:29:3a:72:a3:3f:01:58:9b:99:c5:aa: 78:28:22:19:14:7a:c4:94:14:b1:26:75:41:1f:64: 34:fb:a4:29:e5:bb:c0:ec:3f:ae:12:60:6c:ef:b1: 65:78:33:27:ac:e0:d3:af:a7:36:0e:14:38:2b:14: 39:4c:a0:91 prime1: 00:cb:f5:a4:c0:ac:bc:d1:c6:8e:6f:c8:7c:8f:fc: 67:ee:85:3f:99:05:25:5a:c4:5a:b1:80:a5:81:20: 7e:3c:3d prime2: 00:cb:92:90:86:e1:f7:0d:89:b5:1f:75:bd:02:16: 5b:d1:58:f2:16:9b:23:9f:46:43:09:d3:39:1a:99: ca:83:cd exponent1: 0a:2c:6d:94:62:c9:64:59:58:1f:81:4b:9d:4f:04: cc:23:ff:61:1d:9d:98:62:74:f7:a7:a8:19:c1:ca: 2a:2d exponent2: 5b:72:7b:7a:1c:07:df:0c:fd:50:24:93:c3:5c:47: e2:c3:11:fd:15:b3:ea:d8:a5:44:c4:9d:e2:55:33: a4:01 coefficient: 00:cb:c5:a5:8f:9d:52:20:d2:5a:4e:ac:0b:53:17: f9:f0:12:7b:f1:2e:e6:80:3d:09:5d:2a:ec:12:cd: b7:f5:50 $
exercise-05 (create a certificate signing request) =========== <sr> $ ! my DCL prompt <ur> copy SSL$ROOT:[000000]OPENSSL-VMS.CNF openssl.cnf ! copy template to your directory <sr> $ <ur> openssl req -new -key hack4a.key -out hack5b.csr -config openssl.cnf <sr> You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA ! my responses are in red State or Province Name (full name) [Some-State]:Ontario Locality Name (eg, city) []:Waterloo Organization Name (eg, company) [Internet Widgits Pty Ltd]:United Federation of Planets Organizational Unit Name (eg, section) []:Star Fleet Common Name (eg, YOUR name) []:Jean-Luc Pickard ! or host like: www.name.ext Email Address []:jean-luc.picard@star-fleet.ufp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<enter> An optional company name []:<enter> $ <ur> type hack5b.csr ! view raw ASCII data <sr> -----BEGIN CERTIFICATE REQUEST----- MIIBdDCCAR4CAQAwgbgxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMREw DwYDVQQHEwhXYXRlcmxvbzElMCMGA1UEChMcVW5pdGVkIEZlZGVyYXRpb24gb2Yg UGxhbmV0czETMBEGA1UECxMKU3RhciBGbGVldDEZMBcGA1UEAxMQSmVhbi1MdWMg UGlja2FyZDEtMCsGCSqGSIb3DQEJARYeamVhbi1sdWMucGljYXJkQHN0YXItZmxl ZXQudWZwMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKIwjuJiJJalNN6uQYW+JAn2 6uipqT8/VvDNIGhqJDxrI2wMj5sNcWn5MmQsZFdl/pxioQvlsdFb8Idk1ZsLc9kC AwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAILOaqUUSsb0vgTyXqUKsBi12mgSbsLgu rZEEyu0gSsTdVIkkwkVvhavYpxCENbCqiRxH+uHZLkYvbTTfmvUapA== -----END CERTIFICATE REQUEST----- $ <ur> openssl req -noout -text -in hack5b.csr ! view CSR data <sr> Certificate Request: Data: Version: 0 (0x0) Subject:Subject: C=CA, ST=Ontario, L=Waterloo, O=United Federation of Planets, OU=Star Fleet, CN=Jean-Luc Pickard/emailAddress=jean-luc.picard@star-fleet.ufp Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:a2:30:8e:e2:62:24:96:a5:34:de:ae:41:85:be: 24:09:f6:ea:e8:a9:a9:3f:3f:56:f0:cd:20:68:6a: 24:3c:6b:23:6c:0c:8f:9b:0d:71:69:f9:32:64:2c: 64:57:65:fe:9c:62:a1:0b:e5:b1:d1:5b:f0:87:64: d5:9b:0b:73:d9 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 20:b3:9a:a9:45:12:b1:bd:2f:81:3c:97:a9:42:ac:06:2d:76: 9a:04:9b:b0:b8:2e:ad:91:04:ca:ed:20:4a:c4:dd:54:89:24: c2:45:6f:85:ab:d8:a7:10:84:35:b0:aa:89:1c:47:fa:e1:d9: 2e:46:2f:6d:34:df:9a:f5:1a:a4 $
exercise-06 (create a self-signed certificate) =========== <sr> $ ! my DCL prompt <ur> openssl req - ! a trailing dash in DCL continues the line -new - ! -x509 - ! x509 as a switch indicates "self signed" -config openssl.cnf - ! -days 365 - ! will expire in one year -set_serial 20160101 - ! I used ccyymmdd -key hack4a.key - ! I could have created/used a new key with -keyout -out hack6b.crt ! certificate data will be written here <sr> You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA ! my responses in RED (CA=Canada) State or Province Name (full name) [Some-State]:Ontario ! Canada has provinces Locality Name (eg, city) []:Waterloo Organization Name (eg, company) [Internet Widgits Pty Ltd]:United Federation of Planets Organizational Unit Name (eg, section) []:Star Fleet Common Name (eg, YOUR name) []:Jean-Luc Pickard ! or node like: www.name.ext Email Address []:jean-luc.picard@star-fleet.ufp ! $ <ur> openssl x509 -in hack6b.crt -text -noout ! let's see it (processed) <sr> Certificate: Data: Version: 3 (0x2) Serial Number: 20160101 (0x1339e65) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CA, ST=Ontario, L=Waterloo, O=United Federation of Planets, OU=Star Fleet, CN=Jean-Luc Pickard/emailAddress=jean-luc.picard@star-fleet.ufp Validity Not Before: Jan 1 21:06:15 2016 GMT Not After : Dec 31 21:06:15 2016 GMT Subject: C=CA, ST=Ontario, L=Waterloo, O=United Federation of Planets, OU=Star Fleet, CN=Jean-Luc Pickard/emailAddress=jean-luc.picard@star-fleet.ufp Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:a2:30:8e:e2:62:24:96:a5:34:de:ae:41:85:be: 24:09:f6:ea:e8:a9:a9:3f:3f:56:f0:cd:20:68:6a: 24:3c:6b:23:6c:0c:8f:9b:0d:71:69:f9:32:64:2c: 64:57:65:fe:9c:62:a1:0b:e5:b1:d1:5b:f0:87:64: d5:9b:0b:73:d9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 83:79:4A:B8:D5:ED:C4:C5:58:A8:4B:0F:07:E6:8B:FB:A3:22:19:9C X509v3 Authority Key Identifier: keyid:83:79:4A:B8:D5:ED:C4:C5:58:A8:4B:0F:07:E6:8B:FB:A3:22:19:9C DirName:/C=CA/ST=Ontario/L=Waterloo /O=United Federation of Planets /OU=Star Fleet /CN=Jean-Luc Pickard/emailAddress=jean-luc.picard@star-fleet.ufp serial:01:33:9E:65 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 08:36:67:15:01:c4:8c:e6:2d:10:de:ed:bb:13:4f:cb:9d:4f: 9a:c9:8b:61:ee:84:16:e8:9b:0f:db:a5:05:c7:d5:94:e6:9b: b1:0f:40:d5:bc:be:09:75:5e:7a:33:46:f7:3a:4c:c2:8b:61: c2:85:ad:a0:f2:cf:00:d2:e1:0d $ <ur> type hack6b.crt ! let's see it (raw) <sr> <...hex dump...> !
Notes:
<sr> $ ! my DCL prompt
<ur> openssl s_client -connect www.twitter.com:443 -no_tls1 ! connect to Twitter (no TLS1)
<sr> ...handshake verbage... ! bla...bla...bla...
--- ! your s_client prompt
<ur> GET / HTTP/1.0<enter> ! get default document; use HTTP 1.0
<enter> ! signal end of HTTP header
<sr> HTTP/1.0 200 OK ! response
Date: Fri, 22 Jun 2012 23:16:38 GMT !
Status: 200 OK !
Pragma: no-cache !
Content-Type: text/html; charset=utf-8 !
<sr> $ !
<ur> openssl s_client -connect www.google.com:443 -no_tls1 ! connect to Google USA (no TLS1)
<sr> ...handshake verbage... ! bla...bla...bla...
--- ! your s_client prompt
<ur> GET / HTTP/1.0<enter> ! get default document; use HTTP 1.0
<enter> ! signal end of HTTP header
<sr> HTTP/1.0 302 Found ! 302 = moved
Location: https://www.google.ca/ ! so redirect to Canada
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com
<sr> $ !
<ur> openssl s_client -connect www.google.ca:443 -no_tls1 ! connect to Google (no TLS1)
...handshake verbage... ! bla...bla...bla...
--- ! your s_client prompt
<ur> GET / HTTP/1.1<enter> ! okay so let's try HTTP/1.1
host: www.google.ca:443<enter> ! need this line for HTTP/1.1
<enter> ! signal end of HTTP header
<sr> HTTP/1.1 200 OK !
Set-Cookie: NID=61=H7WfG9OQ6uHDvVU8OJyt_Z4x8a4cj0DUpLUfH9D9eeKVou1FwaP8ok16
vDlgV3sX1JPzrd3G8tNc3mDgbdPZy8mGnmpKJ3WCKHVT6gbCV8Z56rKIVgXokgJkptJZ-i00;
expires=Sat, 22-Dec-2012 22:51:17 GMT; path=/; domain=.google.ca; HttpOnly
Date: Fri, 22 Jun 2012 22:51:17 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=windows-1252
Set-Cookie: PREF=ID=3ba285f540771657:FF=0:TM=1340405477:LM=1340405477:S=TpABG903GxV7Ufhg; ...
expires=Sun, 22-Jun-2014 22:51:17 GMT; path=/; domain=.google.ca
Set-Cookie: NID=61=H7WfG9OQ6uHDvVU8OJyt_Z4x8a4cj0DUpLUfH9D9eeKVou1FwaP8ok16vDlgV3sX1JPzrd ...
3G8tNc3mDgbdPZy8mGnmpKJ3WCKHVT6gbCV8Z56rKIVgXokgJkptJZ-i00;
expires=Sat, 22-Dec-2012 22:51:17 GMT; path=/; domain=.google.ca; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts ...
/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
1000 ! byte count of chunked data block
[...snip...]
<sr> $ ! <ur> openssl s_client -connect www.bell.ca:443 -showcerts ! connect to google.ca <sr> CONNECTED(00000005) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain ! 0 s:/C=CA/ST=Ontario/L=Mississauga/O=Bell Canada/CN=mybell.bell.ca ! Level 0: sourced by Google i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by ! issued: by Entrust reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification ! Authority - L1C ! -----BEGIN CERTIFICATE----- MIIIXDCCB0SgAwIBAgIETB0YBDANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC [...snip...] ! chopped out qXpNDaiIq2kB9USHxlXOeSWS5+QLHXZ/6x0WLdDqmHJD2HH98KiRgLlLYS9G+LN8 lPhvtxyDy+EMtnCQl1u4MbNaQsPsk/D9OFYcGjkr0IM= -----END CERTIFICATE----- 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated ! Level 1: source by Entrust by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust ! Certification Authority - L1C ! i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. ! issued by Entrust (limits liab.)/OU=(c) 1999 Entrust.net Limited /CN=Entrust.net Certification Authority (2048) -----BEGIN CERTIFICATE----- MIIE8jCCA9qgAwIBAgIEOGPp/DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML [...snip...] ! chopped out PFS+/i/qaZ0cHimbltjI/lGQ8SSmkAaz8Cmi/3gud1xFIdlEADHzvjJP9QoyDfz8 uhZ2VrLWSJLyi6Y+t6xcaeoLP2ZFuQ== -----END CERTIFICATE----- --- Server certificate subject=/C=CA/ST=Ontario/L=Mississauga/O=Bell Canada/CN=mybell.bell.ca issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference /OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 3586 bytes and written 489 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 20D6EC9351E887BBFF62FB85E62A4C6746B9A1F591A1927A7D5116EF6325135B Session-ID-ctx: Master-Key: 1AD1EA1B547DF1F44F500384D87141B939AC17578316540EB1AEAD108A3B6F30 34AD91CB510F21BAD2C9DE982AB6815A Key-Arg : None Start Time: 1344262653 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- <ur> <ctrl-y> ! <sr> Interrupt ! $ !
Three connect commands (responses not shown)
<ur> openssl s_client -connect 142.180.221.226:443 -showcerts ! what far-end certificates are available? <ur> openssl s_client -connect 142.180.221.226:443 -debug ! show more info hex and ASCII <ur> openssl s_client -connect 142.180.221.226:443 -state ! show ssl state transitions Note: after anyone of the above commands, type the following: <ur> GET / HTTP/1.0<enter> ! get default document using HTTP/1.0 <enter> ! signal end of HTTP header
Four connect commands (responses not shown)
<ur> define/sys vms_cert_dir sys$sysdevice:[certificates] ! an HP-recommended directory -------------------------------------------------------------- <ur> openssl s_client -connect 142.180.221.226:443 - ! -cert vms_cert_dir/client.crt - ! for optional client verification -key vms_cert_dir/client.key ! for optional client verification <ur> openssl s_client -connect 142.180.221.226:443 - ! -cert vms_cert_dir/client.pem ! key + crt inside of pem <ur> openssl s_client -connect 142.180.221.226:443 - -cert vms_cert_dir/client.crt - -key vms_cert_dir/client.key - -tls1 ! only use TLS1 encryption Note: after anyone of the above commands, type the following: <ur> GET / HTTP/1.0<enter> ! get default document using HTTP/1.0 <enter> ! signal end of HTTP header
Five connect commands (responses not shown)
<ur> openssl s_client -connect 142.180.39.15:5555 -debug ! details while negotiating <ur> openssl s_client -connect 142.180.39.15:5555 -state ! watch SSL change states <ur> openssl s_client -connect 142.180.39.15:5555 -tls1 -debug ! use the TLS1 protocol <ur> openssl s_client -connect 142.180.39.15:5555 -ssl3 -debug ! use the SSL3 protocol <ur> openssl s_client -connect 142.180.39.15:5555 - ! -cert vms_cert_dir/client.pem - ! PEM files require a HASH file "-CAfile" vms_cert_dir/client_ca.pem - ! list of trusted certificates "-CApath" vms_cert_dir ! double-quote mixed case parameters in VMS
Server: <ur> openssl s_server -accept 5000 - -cert vms_cert_dir/server.crt - -key vms_cert_dir/server.key - -debug - -www ! barely simulate a webserver (lower case) <sr> Using default temp DH parameters Using default temp ECDH parameters ACCEPT Client: <ur> openssl s_client -connect 142.180.39.15:5000 -debug ! will connect to server <sr> ...handshake verbage... ! bla...bla...bla... <ur> GET / HTTP/1.0<enter> ! request default page containing stats <enter> ! signal end of HTTP header
Server: <ur> set default sys$login ! run these tests from your home directory <sr> $ <ur> create neil.txt ! create a small text file this is sample text<ctrl-z> ! place text in the file <sr> $ ! <ur> openssl s_server -accept 5000 - -cert vms_cert_dir/server.crt - -key vms_cert_dir/server.key - -debug - -"WWW" ! simulate a better webserver <sr> Using default temp DH parameters Using default temp ECDH parameters ACCEPT Client: <ur> openssl s_client -connect 142.180.39.15:5000 - -cert vms_cert_dir/client.crt - -key vms_cert_dir/client.key - ! will connect to server <sr> ...handshake verbage... ! bla...bla...bla... <ur> GET /neil.txt HTTP/1.0<enter> ! request file "neil.txt" <enter> ! signal end of HTTP header <sr> HTTP 200 (OK) ...header verbage... this is sample text ! presto
Server: <ur> set default sys$login ! run these tests from your home directory <sr> $ <ur> type neil.txt ! make sure test file exists <sr> this is sample text $ ! <ur> openssl s_server -accept 5000 - -cert vms_cert_dir/server.crt - -key vms_cert_dir/server.key - -debug - -"WWW" - ! simulate a better webserver -"Verify" 9 ! force client to require a certificate <sr> verify depth is 9, must return a certificate Using default temp DH parameters Using default temp ECDH parameters ACCEPT Client: <ur> openssl s_client -connect 142.180.39.15:5000 - -cert vms_cert_dir/client.crt - -key vms_cert_dir/client.key - ! will connect to server <sr> ...handshake verbage... ! bla...bla...bla... <ur> GET /neil.txt HTTP/1.0<enter> ! request file "neil.txt" <enter> ! signal end of HTTP header <sr> HTTP 200 (OK) ...header verbage... this is sample text ! presto <ur> openssl s_client -connect 142.180.39.15:5000 ! reconnect "without any certs" <sr> CONNECTED(00000005) depth=0 /C=CA/ST=ON/L=KITCHENER/O=BELL CANADA/OU=BELL-ATS/CN=www.bellics.com/emailAddress=neil@bellics.com verify error:num=18:self signed certificate ! this is not really an error verify return:1 depth=0 /C=CA/ST=ON/L=KITCHENER/O=BELL CANADA/OU=BELL-ATS/CN=www.bellics.com/emailAddress=neil@bellics.com verify return:1 262761:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:S3_PKT:1102:SSL alert number 40 262761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:S23_LIB:182: Server: <sr> ...verbage... 261215:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:S3_SRVR:2611: ACCEPT ! waiting for another transaction
<sr> $ ! my DCL prompt <ur> openssl ciphers ! what ciphers are available locally? <sr> DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA: DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES- CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA: AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:DHE-RSA-CAMELLIA128 -SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC2-CBC-MD5:DHE-DSS-RC4-SHA: RC4-SHA:RC4-MD5:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:E DH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DH E-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC -SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4- MD5 $ <ur> openssl s_client -connect www.google.ca:443 -cipher "RC4-SHA" ! connect to Google using the RED cipher ...handshake verbage... ! bla...bla...bla... note: the requested cipher might not be available at the far end
notes: 1) I am on my production node "KAWC96" connecting to my development node "KAWC09" 2) We could just ignore the error 18 then continue 3) Or save the remote certificate in a local repository ---------------------------------------------------------------------------------------- <sr> $ ! my DCL prompt <ur> set def sys$login ! start in home location <sr> $ ! <ur> openssl s_client -connect kawc09.on.bell.ca:443 - ! connect to development platform -state -showcerts ! (without any local certificate) <sr> CONNECTED(00000005) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca verify error:num=18:self signed certificate <<<--- oops (let's fix this) verify return:1 depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca i:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca --- Server certificate -----BEGIN CERTIFICATE----- MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC [...snip...] S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn -----END CERTIFICATE----- subject=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca issuer=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca --- No client certificate CA names sent --- SSL handshake has read 1270 bytes and written 361 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: DE5C43E6C8B445FCDA60894A08650E5B19D1E99DAF3F70D2661EE60956001CF1 Session-ID-ctx: Master-Key: CFF329BE8FFF7B8FD7E6201B16F1AC3663EFF5633CDDD6EA52C79ED4A5C1A7A1F796DECCD77FCD21D497DC2021402118 Key-Arg : None Start Time: 1343864769 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) <<<---oops (let's fix this) --- <ur> <ctrl-Y> ! we're done so hit <ctrl-Y> <sr> INTERRUPT $
Create a trusted chain (or add to an existing chain)
Note: This is similar to what happens when you import a certificate into your browser<ur> cre xxx_kawc09.crt ! create a file -----BEGIN CERTIFICATE----- ! past in the remote certificate from above MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC [...snip...] S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn -----END CERTIFICATE----- <ctrl-z> ! hit <ctrl-z> to exit file-creation with SAVE <sr> Exit $ <ur> copy xxx_kawc09.crt vms_cert_dir ! optional: copy file to our cert directory <sr> $ <ur> set def vms_cert_dir ! now move over there <sr> $ <ur> dir client_ca.pem ! any chains like this here? <sr> %DIRECT-W-NOFILES, no files found ! nope <ur> copy xxx_kawc09.crt client_ca.pem ! copy cert into new PEM or ! or copy client_ca.pem, xxx_kawc09.crt client_ca.pem ! append cert onto existing PEM <sr> $ <ur> openssl x509 -hash -noout -in client_ca.PEM ! compute hash of pem <sr> 1132507a ! this is the computed result <ur> copy client_ca.PEM 1132507a.0 ! create a hash file with '.0' extension <sr> $ <ur> openssl verify "-CApath" vms_cert_dir -verbose -purpose any client_ca.PEM ! test the PEM-hash combo <sr> client_ca.pem: OK ! looks good so far <ur> set def sys$login: ! back to our home directory <sr> $ <ur> openssl s_client -connect kawc09.on.bell.ca:443 -state - ! connect to development platform (again) -cert vms_cert_dir/kawc96.crt - ! -key vms_cert_dir/kawc96.key - ! -"CAfile" vms_cert_dir/client_ca.PEM ! but reference trusted cert chain <sr> CONNECTED(00000005) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca verify return:1 <<<--- cool (fixed) SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca i:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca --- Server certificate -----BEGIN CERTIFICATE----- MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC [...snip...] S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn -----END CERTIFICATE----- subject=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca issuer=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca --- No client certificate CA names sent --- SSL handshake has read 1270 bytes and written 361 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 96B7F72BDCCB65C8040BD1DFE714989D87F966D000AB7ED9CDD9AEF5FD4EAE89 Session-ID-ctx: Master-Key: 7737874E462FAFD277E6541BD2608070BEBB15393D6897125F1DF8A10AC3AE24D5FD65BA0F909F9576A04856345BB6EE Key-Arg : None Start Time: 1343865022 Timeout : 300 (sec) Verify return code: 0 (ok) <<<---cool (fixed) --- <ur> <ctrl-z> ! we are done <sr> Exit $
Overview:
$set default ssl$com
$@SSL$CERT_TOOL.COM
select "Create a Certificate Signing Request" (also called a CSR)
be sure to name it something like: host_domain_ccyymmdd.csr
where ccyymmdd represents the current date
exit
$set def SSL$ROOT:[000000.DEMOCA.CERTS]
$dir host_domain_ccyymmdd.*
you should see two files; one with an extension of ".csr" and one with ".key"
$type host_domain_ccyymmdd.csr
-----
1) drag your cursor across the file contents
2) paste the result into the submission window at your certificate vendor's site
3) the vendor will sign your CSR and mail it back to you as a CRT
4) You should copy/paste the base-64 text into a file of the form:
host_domain_ccyymmdd.crt
5) The email will also contain a copy of the vendor's intermediate certificate
6) You should copy/paste the base-64 text into a file of the form:
host_domain_ccyymmdd_internediate.crt
-----
Modify Apache config file "[.conf]ssl.conf" like so:
# our public certificate
SSLCertificateFile /vms_prod_cert_dir/BELLICS_COM_ccyymmdd.CRT
# our private key
SSLCertificateKeyFile /vms_prod_cert_dir/BELLICS_COM_ccyymmdd.KEY
# the CA's intermediate certificate
SSLCACertificateFile /vms_prod_cert_dir/BELLICS_COM_ccyymmdd_INTERMEDIATE.CRT
restart Apache (monitor all error logs; if the server won't start then you've made a mistake)
now retest with the OpenSSL CLI
now retest with a all three popular browsers (IE, Firefox, Chrome)
note: this is a real-world example for server "bellics.com" except that I replaced my actual submission date with ccyymmdd commands: 1) openssl genrsa -out BELLICS_COM_ccyymmdd.KEY 2048 2) openssl req -new -key BELLICS_COM_ccyymmdd.KEY -out BELLICS_COM_ccyymmdd.CSR 3) cat (on Unix/Linux or 'type' on OpenVMS) BELLICS_COM_ccyymmdd.CSR steps: 1) copy/paste the contents into the submission window at your certificate vendor's site 2) the vendor will sign your CSR then email it back to you in base-64 format 3) copy/paste the base-64 text from the email into a file of the form: BELLICS_COM_ccyymmdd.CRT 4) visit the vendor's site to get a copy of their signing certificate. I saved mine as: BELLICS_COM_ccyymmdd_VENDOR.CRT 5) modify the Apache config file "ssl.conf" (see steps above) BELLICS_COM_ccyymmdd.KEY (is the private key which will never been shared with anyone) BELLICS_COM_ccyymmdd.CRT (is the signed public certificate which contains your public key) BELLICS_COM_VENDOR.CRT (is the vendor's public certificate used to sign your CRT) 6) restart the server (checking your log files)
OpenSSL commands to display the certificates just for the fun of it 1) openssl x509 -noout -text -in server_self_signed.CRT 2) openssl x509 -noout -text -in BELLICS_COM_ccyymmdd.CRT 3) openssl x509 -noout -text -in BELLICS_COM_VENDOR.CRT
So you have found some time to get beyond connectivity tests and would like to dig a little deeper into this tool
p.s. the following examples manipulate files rather than data streams but you will get the general idea
legend: <ur> = user response <sr> = system response ---------------------------------------------------- <ur> openssl s_client -connect www.google:443<enter> <enter> <enter> <enter> <sr> write:errno=32 <<<--- Oops!!
Note: I think error 32 = "broken pipe" (see:
ERRNO.H or ERRNODEF.H) which means the channel just closed
The problem here
is that we did not see a prompt where we could request something from Google
<ur> openssl s_client -connect www.myserver.com:443<enter> ! <sr> ...handshake verbage... ! bla...bla...bla... --- ! prompt <ur> GET /neil.txt HTTP/1.0<enter> ! we want file neil.txt <enter> ! signal end of HTTP header <sr> HTTP HTTP/1.0 200 ok !
Content-type: text/plain ! !
test data !
BIO_printf(bio,"---\n");
BIO_printf(bio,"---\n\n");
i=write
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VMS)
i=write
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) \ || defined(OPENSSL_SYS_VMS)
i=raw_write_stdout
if (bla...)
{ if (yada...)
{ just one line but bracketed anyway;
}
}
else
{ switch(temp) {
case CASE1:
{ whatever;
break;
}
case CASE2:
{ whatever;
break;
}
default:
{ just one line but bracketed anyway;
}
}
}
| Operating System |
HP-OpenSSL Version |
Output from command "OpenSSL s_client version" |
s_client works properly? |
Notes |
|---|---|---|---|---|
| OpenVMS-7.3 | CPQ-OpenSSL-1.0A | OpenSSL 0.9.6b [engine] 9 Jul 2001 [blank line] |
Y | telnet to: gate.polarhome.com |
| OpenVMS-7.3-1 | CPQ-OpenSSL-1.1 | OpenSSL 0.9.6g [engine] 9 Aug 2002 [blank line] |
Y | telnet to: deathrow.vistech.net |
| OpenVMS-7.3-2 | CPQ-OpenSSL-1.1 | OpenSSL 0.9.6g [engine] 9 Aug 2002 [blank line] |
Y | built this scratch system then downloaded this kit: cpq-axpvms-ssl-v0101--1.pcsi-dcx_axpexe from here: http://www.decuslib.com/decus/ |
| OpenVMS-7.3-2 | CPQ-OpenSSL-1.1B | OpenSSL 0.9.6g [engine] 9 Aug 2002 [blank line] |
Y | built this scratch system then installed this kit from a friend: cpq-axpvms-ssl-v0101-B-1.pcsi-dcx_axpexe |
| OpenVMS-7.3-2 | HP-OpenSSL-1.2 | OpenSSL 0.9.7d 17 Mar 2004 SSL for OpenVMS V1.2 Nov 3 2004. |
N | built this scratch system then installed this kit from a friend: HP-AXPVMS-SSL-V0102--1.AXPEXE |
| OpenVMS-7.3-2 | HP-OpenSSL-1.3-281 | OpenSSL 0.9.7e 25 Oct 2004 SSL for OpenVMS V1.3 May 26 2006. |
N | built this scratch system then downloaded this kit from HP: HP-AXPVMS-SSL-V0103-0281-1.PCSI_SFX_AXPEXE |
| OpenVMS-8.3 | HP-OpenSSL-1.3-281 | OpenSSL 0.9.7e 25 Oct 2004 SSL for OpenVMS V1.3 May 26 2006. |
N | visited: eisner.decus.org |
| OpenVMS-8.4 | HP-OpenSSL-1.3-281 | OpenSSL 0.9.7e 25 Oct 2004 SSL for OpenVMS V1.3 May 26 2006. |
N | I forced this regression |
| OpenVMS-8.4 | HP-OpenSSL-1.4-453 | OpenSSL 0.9.8o 01 Jun 2010 SSL for OpenVMS V1.4 May 10 2011. |
N | my production machine |
| OpenVMS-8.4 | HP-OpenSSL-1.4-467 | OpenSSL 0.9.8w 23 Apr 2012 SSL for OpenVMS V1.4 May 22 2012. |
N | my production machine (see following notes) |
| OpenVMS-8.4 | HP-OpenSSL-1.4-471 | OpenSSL 0.9.8y 5 Feb 2013 SSL for OpenVMS V1.4 Mar 7 2013. |
Y | my development machine |
Here I am not talking about installing a PCSI kit from HP. I am talking about building (full recompile and link) so you will need a C-language compiler.
| File | Still Available from HP? |
Available Elsewhere? |
VAX | AXP | I64 | s_client works properly? |
Notes |
|---|---|---|---|---|---|---|---|
| COMPAQ_SSL_SOURCES_V10A.EXE COMPAQ_SSL_SOURCES_V10A.BCK |
n | y | y | 1) can only build AXP (Alpha) binaries 2) they appear to have been playing with VAX + I64 (using cross compilers) |
|||
| COMPAQ_SSL_SOURCES_V11.EXE COMPAQ_SSL_SOURCES_V11.BCK |
n | y | y | 1) can only build AXP (Alpha) binaries 2) they appear to have been playing with VAX + I64 (using cross compilers) |
|||
| COMPAQ_SSL_SOURCES_V11A.EXE COMPAQ_SSL_SOURCES_V11A.BCK |
n | y | y | y | y |
To verify original announcement: |
|
| COMPAQ_SSL_SOURCES_V11B.EXE COMPAQ_SSL_SOURCES_V11B.BCK |
n | y | y | y |
original announcement: |
||
| HP_VMS_SSL_SOURCES_V12.EXE HP_VMS_SSL_SOURCES_V12.BCK |
n | y | y | n (see note 5) |
original announcement: wayback-machine |
||
| HP_VMS_SSL_SOURCES_V13.AXPEXE HP_VMS_SSL_SOURCES_V13.I64EXE |
y (see note 1) |
y | y | n (see note 5) |
original announcement: wayback-machine |
||
| HP_VMS_SSL_SOURCES_V14.AXPEXE HP_VMS_SSL_SOURCES_V14.I64EXE |
y (see note 1) |
y | y | n (see note 5) |
|||
| HP_VMS_SSL_SOURCES_V14-453.AXPEXE HP_VMS_SSL_SOURCES_V14-453.I64EXE |
y (see note 1) |
y | y | n (see note 5) |
|||
| HP_VMS_SSL_SOURCES_V14-467.AXPEXE HP_VMS_SSL_SOURCES_V14-467.I64EXE |
y (see note 1) |
y | y | n (see note 5) |
|||
| HP_VMS_SSL_SOURCES_V14-471.AXPEXE HP_VMS_SSL_SOURCES_V14-471.I64EXE |
y | y | y | y |
| Do When | Do What | Target |
|---|---|---|
| Do at least once | read these notes | http://h41379.www4.hpe.com/openvms/products/ssl/ssl_source.html#buildopenssl |
| read text file | $$$README.FOR_VMS | |
| never execute DCL script | SUBMIT_BUILD.COM (can only be executed on HP's development system; requires CMS as well as some crypto stuff) | |
| consider modifying script | VMS_BUILD_INFO.COM
|
|
| B4 every full build | execute DCL script | @VMS_BUILD_INFO.COM (which sets DCL symbols required by MAKEVMS.COM) |
| execute DCL script | @MAKEVMS.COM/OUTPUT=MAKEVMS.LOG ALL
NORSAREF NODEBUG DECC NONE (Note: NONE seems to work properly with both "TCPIP Services" as well as TCPware) |
|
| B4 every app build | execute DCL script | @VMS_BUILD_INFO.COM (which sets DCL symbols required by MAKEVMS.COM) |
| execute DCL script | @MAKEVMS.COM/OUTPUT=MAKEVMS.LOG APPS
NORSAREF NODEBUG DECC NONE (Note: NONE seems to work properly with both "TCPIP Services" as well as TCPware) |
| OpenSSL Version (Vanilla) |
Compiles as-is on VMS? |
Notes | s_client works properly? |
Notes | Add'l Notes Below |
|---|---|---|---|---|---|
| OpenSSL 0.9.6g | yes | build script okay; install script needs work | ? | stopped by error "bad select 38" | 2 |
| OpenSSL Version (PolarHome) |
Compiles as-is on VMS? |
Notes | s_client works properly? |
Notes | Add'l Notes Below |
| OpenSSL 1.0.1b 26 Apr 2012 |
yes | build and install scripts are improved | ? | stopped by error "bad select 38" | 1,2 |
1092:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.crypto.rand]md_rand.c;1
:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
1092:error:05067003:Diffie-Hellman routines:DH_generate_key:BN lib:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.crypto.dh]dh_key.c;1:147:
1092:error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad asn1 object header:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.ssl]s3_clnt.c
;1:1490:
$create neil.rnd ! creates a file named "neil.rnd" 12345678901234567890<control-z> ! enter at least 20-characters before hitting <control-z>
$openssl s_client -connect 123.123.123.123:443 -rand neil.rnd
$define/system RANDFILE = SYS$SYSDEVICE:[HACK]NEIL.RND
RANDFILE :== SYS$SYSDEVICE:[HACK]NEIL.RND
openssl s_client -connect www.twitter.com:443 -no_tls1 CONNECTED(00000003) depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = Ver iSign Class 3 Extended Validation SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/ postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Exte nded Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Exte nded Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Publi c Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB [...snip...] 0tjHHMI1d6IJs0TAO26/SVI7YlQXEstKHk9iJzappwZ/0HZJsepX7jIxvlxyKKGb 8MQGjSCwx8bY2PbYaLe0rkk2IjH0aMUlHW77DpNAK40= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C= US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Ex tended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 3360 bytes and written 488 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-SHA Session-ID: 98708C8995FF0F8AE3DE17DC8066CF220AB3D50C183E519089DB2E893EFEDCEA Session-ID-ctx: Master-Key: 5542D6ADAC52B4FD82FD9E0FCADE67FBBB5D4BAB4EA1F5D564FE6F98F6CC6E8F3A0F350BF668726A377EC1169205BBAA Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1340481505 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- bad select 38 <<<--- Oops! What does this mean? $
Caveats:
$ set def ssl$examples
$ dir
Directory SYS$COMMON:[SYSHLP.EXAMPLES.SSL]
File Size Date Stamp Notes
------------------------------- ---- ----------- --------------------------------------------------------------
SSL$SIMPLE_CLI.C 9KB 19-APR-2006 Simplest SSL and socket without BIO (Client)
SSL$SIMPLE_SERV.C 8KB 19-APR-2006 Simplest SSL and socket without BIO (Server)
SSL$BIO_CLI.C 9KB 19-APR-2006 Simplest SSL and socket w/"Socket BIO" (Client)
SSL$BIO_SERV.C 9KB 19-APR-2006 Simplest SSL and socket w/"Socket BIO" (Server)
SSL$CLI_VERIFY_CLIENT.C 9KB 19-APR-2006 "Socket BIO" + "client certificate verification" (Client)
SSL$SERV_VERIFY_CLIENT.C 9KB 19-APR-2006 "Socket BIO" + "client certificate verification" (Server)
SSL$CLI_SESS_REUSE.C 10KB 19-APR-2006 "Socket BIO" + "Session Resumption" (Client)
SSL$SERV_SESS_REUSE.C 9KB 19-APR-2006 "Socket BIO" + "Session Resumption" (Server)
SSL$CLI_SESS_REUSE_CLI_VER.C 12KB 19-APR-2006 "Socket BIO" + "Session Resumption" +
"Client Cert Verify" (Client)
SSL$SERV_SESS_REUSE_CLI_VER.C 13KB 19-APR-2006 "Socket BIO" + "Session Resumption" +
"Client Cert Verify" (Server)
SSL$CLI_SESS_RENEGO.C 11KB 19-APR-2006 "Socket BIO" + "Session Renegotiation" (Client)
SSL$SERV_SESS_RENEGO.C 11KB 19-APR-2006 "Socket BIO" + "Session Renegotiation" (Server)
SSL$CLI_SESS_RENEGO_CLI_VER.C 11KB 19-APR-2006 "Socket BIO" + "Session Renegotiation" +
"Client Cert Verify" (Client)
SSL$SERV_SESS_RENEGO_CLI_VER.C 11KB 19-APR-2006 "Socket BIO" + "Session Renegotiation" +
"Client Cert Verify" (Server)
SSL$TCP_CLIENT_QIO_SSL.C 17KB 14-JUN-2004 TCP/IP w/SSL using the Queued I/O (Client)
SSL$TCP_SERVER_QIO_SSL.C 22KB 14-JUN-2004 TCP/IP w/SSL using the Queued I/O (Server)
SSL$SHA1_MD5.C 8KB 29-SEP-2004 how to use Secure Hash 1 and message digest 5
SSL$AES.C 10KB 14-JUL-2004 how to use "Advanced Encryption Standard"
----------------------------------------------------------------------------------------------------------------
Just for fun, enter this DCL command:
$dif SSL$BIO_CLI.C SSL$SIMPLE_CLI.C /par/ignore=(white,case)
Not much difference between these two programs, eh?
Caveat: you need a "C" compiler to build the following executables
Legend: <ur> = user response
<sr> = system response
<sr> $ <ur> set def SSL$EXAMPLES ! we are now located somewhere under SYS$HELP <sr> $ <ur> edit SSL$SIMPLE_SERV.C ! to inspect the build instructions then exit
Note: the following instructions are for 32-bit apps
<sr> $ <ur> cre VMS_DECC_OPTIONS.OPT SYS$LIBRARY:SSL$LIBCRYPTO_SHR.EXE/SHARE SYS$LIBRARY:SSL$LIBSSL_SHR.EXE/SHARE <ctrl-Z> <sr> $ <ur> CC/POINTER_SIZE=32/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL$SIMPLE_SERV.C ! build simple server <sr> $ <ur> link SSL$SIMPLE_SERV.obj, VMS_DECC_OPTIONS.OPT/OPT <sr> $ <ur> CC/POINTER_SIZE=32/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL$SIMPLE_CLI.C ! build simple client <sr> $ <ur> link SSL$SIMPLE_CLI.obj, VMS_DECC_OPTIONS.OPT/OPT <sr> $ <ur> run SSL$SIMPLE_SERV.EXE <sr> 186045:error:02001002:system library:fopen:no such file or directory:BSS_FILE:278:fopen('server.crt','r') 186045:error:20074002:BIO routines:FILE_CTRL:system lib:BSS_FILE:280: 186045:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:SSL_RSA:515:
Note: The errors above indicate the certificates are missing from this directory.
Read the contents of file "SSL$EXAMPLES:SSL$EXAMPLES_SETUP.TEMPLATE"
<sr> $ <ur> set def SSL$COM ! <<<--- location of HP's scripts <sr> $ <ur> @SSL$CERT_TOOL.COM ! <<<--- start HP's certificate tool
| File Name | Description |
|---|---|
| server_CA.crt | certificate and public key of your CA (certificate authority) |
| server_CA.key | private key of your CA (certificate authority) |
| server.csr | certificate signing request
|
| server.crt | certificate and public key of your server (for in-channel distribution
to your client)
|
| server.key | private key of your server certificate |
| client.crt | certificate and public key (client side)
|
| client.key | private key of your client certificate
|
| client_CA.crt | a file containing one-or-more CA certificates
|
Steps:
PEM Pass Phrase ? []
Confirm PEM Pass Phrase ? []
Encryption Bits ? [1024]
Default Days ? [3650]
CA certificate Key File ? [SSL$KEY:SERVER_CA.KEY]
CA certificate File ? [SSL$CRT:SERVER_CA.CRT]
Country Name ? [US] CA
Organization Name ? [] Bell Canada
Organization Unit Name ? [] Bell-ATS
Common Name ? [CA Authority] Neil Rieck on node KAWC15 <<<--- official name of your CA Authority
Require Unique Subject Names? [yes] no
Display the CA certificate ? [N]
$ copy ssl$key:server_ca.key ssl$key:client_ca.key $ copy ssl$certs:server_ca.crt ssl$certs:client_ca.crt
Encrypt Private Key ? [N]
Encryption Bits ? [1024]
Certificate Key File ? [SSL$KEY:SERVER.KEY]
Certificate Request File ? [SSL$CSR:SERVER.CSR]
Country Name ? [US] CA
State or Province Name ? [] Ontario
City Name ? [] Kitchener
Organization Name ? [] Bell Canada
Organization Unit Name ? [] Bell-ATS
Common Name ? [bellics.com] <<<--- DNS name of our server
Email Address ? [webmaster@bellics.com] neil@bellics.com
Display the Certificate ? [N]
CA Certificate File ? [SSL$CRT:SERVER_CA.CRT] CA Certificate Key File ? [SSL$KEY:SERVER_CA.KEY] Certificate Request File ? [SSL$CSR:SERVER.CSR] Signed Certificate File ? [SSL$CRT:SIGNED.CRT] SSL$CSR:SERVER.crt <<<--- a very important change Default Days ? [365] 3650 <<<--- make my life a little more convenient PEM Pass Phrase ? [] Display the Certificate ? [N]
I/O from session #1 (Server)
<sr> $ <ur> run SSL$SIMPLE_SERV.EXE
I/O from session #2 (Client)
<sr> $
<ur> run SSL$SIMPLE_CLI.EXE
<sr> Message to be sent to the SSL server:
<ur> Hello There! (end this message by hitting <ctrl-M> or <enter>)
<sr> SSL connection using AES256-SHA
Server certificate:
subject: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada
/OU=Bell-ATS/CN=bellics.com/emailAddress=webmaster@bellics.com
issuer: /C=CA/O=Bell Canada/OU=Bell-ATS/CN=CA-SERVER
Received 35 chars:'This message is from the SSL server'
I/O from session #1 (Server)
<sr> Connection from 100007f, port bc71 SSL connection using AES256-SHA Received 13 chars:'Hello There! (there seems to be an <EOL> here) ' $
These two apps:
contain references for TCP/IP Services for OpenVMS so will not compile as-is under TCPware. You need to make the following modifications:
Caveat: these two example apps are the only ones which DO NOT use the certificates in the example directory (see declarations).
I/O from session #1 (Server)
<sr> $
<ur> run SSL$TCP_SERVER_QIO_SSL-TCPWARE.EXE ! the TCPware version of SSL$TCP_SERVER_QIO_SSL.exe)
I/O from session #2 (Client)
<sr> $
<ur> run SSL$TCP_CLIENT_QIO_SSL-TCPWARE.EXE ! the TCPware version of SSL$TCP_CLIENT_QIO_SSL.exe)
<sr> Enter remote host:
<ur> 127.0.0.1
<sr> Initiated connection to host: 127.0.0.1, port: 5555
Info Callback state = 16, ret code = 1
SSL_CB_HANDSHAKE_START
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
before/connect initialization
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 write client hello A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 read server hello A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 read server certificate A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 read server done A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 write client key exchange A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 write change cipher spec A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 write finished A
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 flush data
Info Callback state = 4097, ret code = 1
SSL_CB_CONNECT_LOOP
SSLv3 read finished A
Info Callback state = 32, ret code = 1
SSL_CB_HANDSHAKE_DONE
Info Callback state = 4098, ret code = 1
SSL_CB_CONNECT_EXIT
SSL connection using AES256-SHA
Server certificate:
subject: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada
/OU=Bell-ATS/CN=bellics.com/emailAddress=webmaster@bellics.com
issuer: /C=CA/O=Bell Canada/OU=Bell-ATS/CN=CA-SERVER
Message to be sent to the SSL server:
--- From SSL QIO Client, Hey, Hello Server ---
Received 39 chars:'This message is from the SSL QIO server'
Info Callback state = 16392, ret code = 256
SSL_CB_WRITE_ALERT
Alert = warning:close notify
$
I/O from session #1 (Server)
<sr> $
<ur> run SSL$TCP_SERVER_QIO_SSL-TCPWARE.EXE ! this is the TCPware version of SSL$TCP_SERVER_QIO_SSL.exe
<sr> . . . Waiting for a client connection on port: 5555
. . . Accepted connection from host: 127.0.0.1, port: 32049
SSL connection using AES256-SHA
Received 48 chars from client:' --- From SSL QIO Client, Hey, Hello Server --- '
$
Up until this point, the client and server demos were running on the same platform (connecting via the loopback address of 127.0.0.1). To get the client demos to run from a different platform you must copy the server's CA Certificate into the client's chain file. In the demo programs this file is always named client_ca.crt
Note: you need the server CA certificate (which was sent out-of-channel) preinstalled on the client machine in order to prove that the signed certificate (which was sent in-channel) has been signed by a trusted CA. The purpose for all of this is to minimizing spoofing by a possible man-in-the-middle.
If you intend to connect to multiple servers, and the servers have been signed by different CAs, then you must merge all the CA certificates in the certificate chain file (client_ca.crt)
Warning: You will drive yourself crazy attempting to make these client demos work with an unknown (not under your control) server. The prescribed way to diagnose then repair client problems is with the OpenSSL CLI (command line interpreter). For example, run the server example on platform 1 but then try connecting via openssl s_client on platform 2
I/O from session #1 (Server on platform 1)
<sr> $ ! my prompt <ur> run SSL$SIMPLE_SERV.EXE ! this defaults to port 5555
I/O from session #2 (Client on platform 2) Note: SSL clients do not always specify certificates or keys
<sr> $ ! my VMS prompt <ur> openssl ! <sr> OpenSSL> ! my OPENSSL prompt <ur> s_client -connect 142.180.39.15:5555 -ssl3 -debug <sr> CONNECTED(00000005) write to 00404FF0 [0040F838] (100 bytes => 100 (0x64)) 0000 - 16 03 00 00 5f 01 00 00-5b 03 00 4a 2a 64 cb 88 ...._...[..J*d.. 0010 - 41 dd 6b 75 23 99 4c af-40 04 0d 75 39 c9 33 46 A.ku#.L.@..u9.3F 0020 - 6c 8a 2e 5c e3 b1 45 a6-a5 7c 07 00 00 34 00 39 l..\..E..|...4.9 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ 0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12 .f.....c.b.a.... 0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06 ...e.d.`........ 0060 - 00 03 01 ... 0064 - <SPACES/NULS> read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 16 03 00 00 4a ....J read from 00404FF0 [0040A83D] (74 bytes => 74 (0x4A)) 0000 - 02 00 00 46 03 00 4a 2a-64 cb c7 34 17 80 14 c5 ...F..J*d..4.... 0010 - ad ca c7 39 79 bd be 28-d9 89 f0 f4 12 a6 22 fd ...9y..(......". 0020 - a7 ff 1c ed 45 96 20 d2-96 42 3b d3 90 dc cb 54 ....E. ..B;....T 0030 - 48 03 a8 9d 78 29 7c 80-75 62 3e 20 08 ff be b5 H...x)|.ub> .... 0040 - 8a ab 86 6f 83 5e f8 00-35 ...o.^..5 004a - <SPACES/NULS> read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 16 03 00 02 c5 ..... read from 00404FF0 [0040A83D] (709 bytes => 709 (0x2C5)) 0000 - 0b 00 02 c1 00 02 be 00-02 bb 30 82 02 b7 30 82 ..........0...0. 0010 - 02 20 02 09 00 a3 ff 03-94 ac f7 26 10 30 0d 06 . .........&.0.. 0020 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 30 81 9f 31 .*.H........0..1 0030 - 0b 30 09 06 03 55 04 06-13 02 63 61 31 10 30 0e .0...U....ca1.0. 0040 - 06 03 55 04 08 13 07 6f-6e 74 61 72 69 6f 31 12 ..U....Ontario1. 0050 - 30 10 06 03 55 04 07 13-09 6b 69 74 63 68 65 6e 0...U....kitchen 0060 - 65 72 31 14 30 12 06 03-55 04 0a 13 0b 62 65 6c er1.0...U....bel 0070 - 6c 20 63 61 6e 61 64 61-31 11 30 0f 06 03 55 04 l canada1.0...U. 0080 - 0b 13 08 62 65 6c 6c 2d-61 74 73 31 1a 30 18 06 ...Bell-ATS1.0.. 0090 - 03 55 04 03 13 11 6b 61-77 63 31 35 2e 6f 6e 2e .U....kawc15.on. 00a0 - 62 65 6c 6c 2e 63 61 31-25 30 23 06 09 2a 86 48 bell.ca1%0#..*.H 00b0 - 86 f7 0d 01 09 01 16 16-6e 65 69 6c 40 6b 61 77 ........neil@kaw 00c0 - 63 31 35 2e 6f 6e 2e 62-65 6c 6c 2e 63 61 30 1e c15.on.bell.ca0. 00d0 - 17 0d 30 39 30 36 30 35-31 38 35 39 31 32 5a 17 ..090605185912Z. 00e0 - 0d 31 30 30 36 30 35 31-38 35 39 31 32 5a 30 81 .100605185912Z0. 00f0 - 9f 31 0b 30 09 06 03 55-04 06 13 02 63 61 31 10 .1.0...U....ca1. 0100 - 30 0e 06 03 55 04 08 13-07 6f 6e 74 61 72 69 6f 0...U....Ontario 0110 - 31 12 30 10 06 03 55 04-07 13 09 6b 69 74 63 68 1.0...U....kitch 0120 - 65 6e 65 72 31 14 30 12-06 03 55 04 0a 13 0b 62 ener1.0...U....b 0130 - 65 6c 6c 20 63 61 6e 61-64 61 31 11 30 0f 06 03 ell canada1.0... 0140 - 55 04 0b 13 08 62 65 6c-6c 2d 61 74 73 31 1a 30 U....Bell-ATS1.0 0150 - 18 06 03 55 04 03 13 11-6b 61 77 63 31 35 2e 6f ...U....kawc15.o 0160 - 6e 2e 62 65 6c 6c 2e 63-61 31 25 30 23 06 09 2a n.bell.ca1%0#..* 0170 - 86 48 86 f7 0d 01 09 01-16 16 6e 65 69 6c 40 6b .H........neil@k 0180 - 61 77 63 31 35 2e 6f 6e-2e 62 65 6c 6c 2e 63 61 awc15.on.bell.ca 0190 - 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01 0..0...*.H...... 01a0 - 05 00 03 81 8d 00 30 81-89 02 81 81 00 e2 98 76 ......0........v 01b0 - 67 f7 39 15 a5 b4 f9 69-eb fa 3a 39 c3 d2 8a 70 g.9....i..:9...p 01c0 - e4 f1 72 cb 4c 44 20 d6-78 aa 3b 9c 9b 28 1d 56 ..r.LD .x.;..(.V 01d0 - 77 7f b3 58 aa b2 fc 65-31 71 15 cf 3f f4 84 bd w..X...e1q..?... 01e0 - 9c b0 95 86 3c b5 d8 d5-7f d4 94 e4 0e ad cf 0d ....<........... 01f0 - e9 86 39 ee d4 b5 a6 7d-28 f7 92 40 79 22 d9 ce ..9....}(..@y".. 0200 - 9a 75 10 dc fe 61 43 2a-b4 91 9c ec 7c 4d af c5 .u...aC*....|M.. 0210 - 6f 34 d5 a3 b8 c3 09 d5-2f a7 4c e7 45 2e b2 08 o4....../.L.E... 0220 - f5 6e 32 5e ae 0d 92 58-20 4a 96 75 a1 02 03 01 .n2^...X J.u.... 0230 - 00 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 ..0...*.H....... 0240 - 00 03 81 81 00 72 db b7-6e f7 32 28 6f 80 97 62 .....r..n.2(o..b 0250 - 8b bf 7a cf 73 00 07 5c-ba 54 46 59 12 45 2f ab ..z.s..\.TFY.E/. 0260 - 5d 49 7a 9b 42 8b 7c e8-e2 34 05 96 b8 4b 51 17 ]Iz.B.|..4...KQ. 0270 - fa bf 4f 56 76 8e e0 56-b2 f1 13 a3 4f 1f 6d eb ..OVv..V....O.m. 0280 - 8d df 37 9a 4c 6e 43 84-34 9f 21 63 4e 36 cb 68 ..7.LnC.4.!cN6.h 0290 - ef 48 92 65 99 0d f1 de-a4 38 8b 21 28 0b 3e 3c .H.e.....8.!(.>< 02a0 - 23 7e f7 d8 4c 89 3a 3a-b1 e4 98 61 dc 60 25 24 #~..L.::...a.`%$ 02b0 - 6f 19 3a 0d 09 79 85 f3-53 11 07 d0 a3 d9 6b 3e o.:..y..S.....k> 02c0 - e7 2c 55 57 f6 .,UW. depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca verify error:num=18:self signed certificate <<<---Note that this server certificate is self-signed verify return:1 depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca verify return:1 read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 16 03 00 00 04 ..... read from 00404FF0 [0040A83D] (4 bytes => 4 (0x4)) 0000 - 0e . 0004 - <SPACES/NULS> write to 00404FF0 [00302E70] (137 bytes => 137 (0x89)) 0000 - 16 03 00 00 84 10 00 00-80 39 fa c4 8f bb d0 1b .........9...... 0010 - 5a b9 2b 0f a4 03 5b 09-b9 b6 88 f7 6d f7 2f ec Z.+...[.....m./. 0020 - a4 ab ee 89 ac 9a 3d d9-9c 92 b6 90 9b ed 8f 76 ......=........v 0030 - 88 85 86 f2 24 bd 58 38-1c d2 e7 f7 4c cb c2 37 ....$.X8....L..7 0040 - b7 b3 b1 58 78 30 0a d6-02 e3 5f e8 bc e2 a4 94 ...Xx0...._..... 0050 - 2f f6 3d b0 b3 15 08 8e-f4 d2 20 fc 42 a6 ae 17 /.=....... .B... 0060 - 46 3b ac 24 c8 ae 13 3f-cb af b3 b8 be 91 46 4f F;.$...?......FO 0070 - 9e 79 37 0d fa b6 b2 5c-e4 5d ed a7 d2 93 4d bd .y7....\.]....M. 0080 - a3 df bb 4e fe cb f6 26-69 ...N...&i write to 00404FF0 [00302E70] (6 bytes => 6 (0x6)) 0000 - 14 03 00 00 01 01 ...... write to 00404FF0 [00302E70] (69 bytes => 69 (0x45)) 0000 - 16 03 00 00 40 2e 20 38-5b 89 c8 1e 5b e3 d8 82 ....@. 8[...[... 0010 - c1 aa 3b b8 d8 a2 a4 5e-49 14 59 3c fb 83 63 53 ..;....^I.Y<..cS 0020 - eb c3 99 b3 b7 2f 80 53-1d 9f cf 81 80 44 f3 e9 ...../.S.....D.. 0030 - d2 ce a1 ce 3e c1 25 24-56 cb 22 45 dc 59 dd 0c ....>.%$V."E.Y.. 0040 - dc b7 a2 26 f7 ...&. read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 14 03 00 00 01 ..... read from 00404FF0 [0040A83D] (1 bytes => 1 (0x1)) 0000 - 01 . read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 16 03 00 00 40 ....@ read from 00404FF0 [0040A83D] (64 bytes => 64 (0x40)) 0000 - 00 bc 02 d4 79 e6 ae 7e-26 16 fd 6b 41 b3 0c c0 ....y..~&..kA... 0010 - a5 6a 11 b6 c7 7a 4e 9c-e3 b4 5c 3b 50 e1 2e 9b .j...zN...\;P... 0020 - ef 5f aa 22 42 96 cb 33-f6 7a 72 18 ae d2 e7 1c ._."B..3.zr..... 0030 - 2a 99 e9 bf be 86 81 fd-f8 8b ed d4 c5 d7 8d 6a *..............j --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca i:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca --- Server certificate -----BEGIN CERTIFICATE----- MIICtzCCAiACCQCj/wOUrPcmEDANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMC [...snip...] E6NPH23rjd83mkxuQ4Q0nyFjTjbLaO9IkmWZDfHepDiLISgLPjwjfvfYTIk6OrHk mGHcYCUkbxk6DQl5hfNTEQfQo9lrPucsVVf2 -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca issuer=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca --- No client certificate CA names sent --- SSL handshake has read 877 bytes and written 312 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: D296423BD390DCCB544803A89D78297C8075623E2008FFBEB58AAB866F835EF8 Session-ID-ctx: Master-Key: 38C8558FDF4A37EBF3202C5C464EBE60767A31B47B04B60C80A62FDE9D7819F2FDD8CF31E89B5CC26AC50611EFA6DDB5 Key-Arg : None Start Time: 1244292299 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) <ur> hello<enter> ! I typed this on my keyboard <sr> write to 00404FF0 [0040F838] (74 bytes => 74 (0x4A)) 0000 - 17 03 00 00 20 bc b3 9c-e7 04 1f 02 57 b9 5f b2 .... .......W._. 0010 - e5 15 da b5 f2 00 c5 3e-3f 9b 23 ef 10 e6 94 7c .......>?.#....| 0020 - 8d 5a 94 2b b0 17 03 00-00 20 3f 1c aa 08 68 fa .Z.+..... ?...h. 0030 - 2b 99 6f 14 e1 17 c6 c9-14 71 c8 a8 0c d1 bd ab +.o......q...... 0040 - 79 e5 1a 0b 71 f9 78 df-dd 2f y...q.x../ read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 17 03 .. 0005 - <SPACES/NULS> read from 00404FF0 [0040A83D] (32 bytes => 32 (0x20)) 0000 - b5 32 b9 5b 47 78 e9 52-9a b0 e5 c8 34 65 0d 56 .2.[Gx.R....4e.V 0010 - 06 7a f7 67 c4 9d 28 51-52 bc 44 d4 e0 ea f0 79 .z.g..(QR.D....y read from 00404FF0 [0040A838] (5 bytes => 5 (0x5)) 0000 - 17 03 00 00 40 ....@ read from 00404FF0 [0040A83D] (64 bytes => 64 (0x40)) 0000 - 59 d6 34 d8 94 e6 38 e2-8a ea 23 f8 81 43 6c eb Y.4...8...#..Cl. 0010 - ee 97 df f1 2a 98 95 6f-28 4e a1 f8 03 90 3c 26 ....*..o(N....<& 0020 - 67 55 ec 14 6c 82 4e 46-6e 16 8a ea e7 a9 ca 47 gU..l.NFn......G 0030 - 7a c6 ce 37 73 b0 da 9a-02 13 5a fb b5 60 74 59 z..7s.....Z..`tY write to 00404FF0 [0040F838] (74 bytes => 74 (0x4A)) 0000 - 17 03 00 00 20 0d be ad-d9 e9 e2 df 5b 5e 76 13 .... .......[^v. 0010 - 75 81 c9 fa c7 a3 84 80-eb 7f e5 5c 59 5f 0a 7c u..........\Y_.| 0020 - ad 29 f6 70 32 17 03 00-00 20 a3 11 4a 53 65 b7 .).p2.... ..JSe. 0030 - 33 cd d9 40 d3 e1 3e 6f-f2 1b 91 e8 7e 3f a9 1f 3..@..>o....~?.. 0040 - 3c b4 13 69 d1 5e 8d 65-e3 4e <..i.^.e.N write to 00404FF0 [0040F838] (74 bytes => -1 (0xFFFFFFFF)) write:errno=32 OpenSSL>
I/O from session #1 (Server on platform 1)
<sr> $ <ur> run SSL$SIMPLE_SERV.EXE <sr> Connection from 1027b48e, port 9ea3 SSL connection using AES256-SHA Received 6 chars:'hello ' $
Trivia: PEM is an acronym for Privacy-enhanced Electronic Mail but it is used in many more places today than email
Most SSL apps only employ "certificate" and "key" files. However, many SSL implementations (like my gSOAP client software) employ a "PEM" file. What is worse is that process for creating "PEM" files from "certificate" and "key" files is poorly documented, or perhaps and industry secret, or perhaps just lost to the ages. So what follows is an example of a few hacks one afternoon
| File Name | Notes | Distribute? | |
|---|---|---|---|
| Input Files | kawc09.crt | a certificate file and public key for host kawc09.on.bell.ca | Y |
| kawc09.key | a private key file for host kawc09.on.bell.ca | N | |
| Output Files | kawc09.pem | a PEM file for host kawc09.on.bell.ca (concatenation of kawc09.key and kawc09.crt) | N |
| 30A5DF47.0 | a copy of file kawc09.crt whose name is contains the computed hash of file kawc09.pem | N |
=============================================================================================== file : AAA_PEM_NOTES.TXT edit : NSR 2012-02-14 topic: 1. general stuff about certificates on our system 2. creating a PEM (required by SSL calls made by our SOAP client software) notes: 1. all "our" production certificate files are located here: sys$sysdevice:[certificates] 2. a logical name has been defined to reference this directory: $define/system vms_cert_dir sys$sysdevice:[certificates] 3. apache files like "apache$common[.conf]ssl.conf" need to reference this logical name 4. before experimenting with the certificate tools in directory SSL$COM you might consider copying production certificates to SSL$CERTS which points to here: ssl$root:[000000.democa.certs] 5. while certificates and keys can be generated directly from OpenSSL CLI, DCL scripts like SSL$CERT_TOOL are less error prone. However, make sure all instances of 365 days have been modified to 3650 days or you'll drive our users crazy. Even if you don't change all the scripts, make sure you change the self-signed script. legend: <ur> = user response <sr> = system response =============================================================================================== <sr> $ <ur> set def ssl$com <sr> $ <ur> @SSL$CERT_TOOL.COM ------------------------------------------------------------------------------ now do one of: A, B, C: A Create a Self-Signed Certificate (my choice) B1 Create a Certificate Signing Request B2 Create a CA (Certification Authority) Certificate B3 Sign a Certificate Signing Request C1 Create a Certificate Signing Request C2 Send it to a CA to have it signed ------------------------------------------------------------------------------ <sr> $ <ur> set def SSL$CERTS ! change default directory <sr> $ <ur> copy/concat kawc09.key,kawc09.crt kawc09.pem ! create a server PEM file or copy kawc09.crt client.pem ! create a client PEM file <sr> $ <ur> openssl x509 -hash -noout -in KAWC09.PEM ! compute the hash (output to stdout) <sr> 30a5df47 $ <ur> copy kawc09.crt 30a5df47.0 ! create the file: hash.0 <sr> $ <ur> define dvlp_cert_dir SSL$ROOT:[000000.DEMOCA.CERTS] ! define a logical name for use below <sr> $ <ur> openssl verify "-CApath" dvlp_cert_dir -verbose -purpose any KAWC09.PEM ! test certs with path or openssl verify -verbose -purpose any KAWC09.PEM ! test certs without path (alternative) <sr> kawc09.pem: OK $ ------------------------------------------------------------------------------ do we really need the hash file? (yes) ------------------------------------------------------------------------------ <ur> ren 30A5DF47.0 30A5DF47.yada ! rename hash file for next test <sr> $ <ur> openssl verify "-CApath" vms_cert_dir -verbose -purpose any KAWC09.PEM ! test certs with path <sr> kawc09.pem: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca error 18 at 0 depth lookup:self signed certificate OK $ <ur> ren 30A5DF47.yada 30A5DF47.0 ! restore hash file name <sr> $ <ur> openssl verify "-CApath" vms_cert_dir -verbose -purpose any KAWC09.PEM ! test certs with path (again) <sr> kawc09.pem: OK $ ========================================================================================================================== <<< proof that Apache has its own version of SSL >>> notes: 1. danger danger danger 2. only try this on a backup lab system with no one logged on >>> 3. if your running system relies upon SSL for various security functions, then removing SSL may render your OpenVMS 8.x system unusable ========================================================================================================================== uninstall SSL on OpenVMS-8.4 (node kawc98) $prod remov prod ssl note: you will get a warning saying not to do this because of linkages to OpenVMS (but not Apache) ignore the warning and remove SSL anyway reboot @sys$update:autogen reboot test Apache and notice that https://kawc98.on.bell.ca still works (Apache has its own baked-in OpenSSL engine) install SSL on OpenVMS-8.4 $PRODUCT instal/options=NOVALIDATE_KIT SSL note: you now need OPTIONS because SSL is required to validate kits (oops) reboot @sys$update:autogen reboot ==========================================================================================================================
*** End of Section: Application Development ***
In 2010, HP (now HPE) published a product named HP SSL-1.4 for OpenVMS which was architecturally different from HP SSL-1.3 for OpenVMS. So much so that it came with this warning: any programs compiled and linked against SSL-1.3 needed to be recompiled and relinked. This is fine if "you have access to the source code" but in the case of applications built around third party software, you would need to contact the vendor. I seem to remember related warnings about some third party products like IBM WebSphere MQ and XCOM.
For example, this blast-from-the-past Solution Document: RO67803 from Computer Associates (a.k.a. CA) is dated 2014 and instructs XCOM users on OpenVMS to replace HP SSL-1.4 with HP SSL-1.3 which prompts me to wonder if they Computer Associates lost the XCOM source code. This recommendation is a big mistake for many reasons.
<sr> $ <ur> prod sho pro *ssl* <sr> ------------------------------------ ----------- --------- PRODUCT KIT TYPE STATE ------------------------------------ ----------- --------- HP I64VMS SSL V1.4-502 Full LP Installed HP I64VMS SSL1 V1.0-2L Full LP Installed ------------------------------------ ----------- --------- 2 items found $
comments:
OpenSSL for OpenVMS (published by HP/HPE)
OpenSSL for OpenVMS (other)
SSL (general)
OpenSSL Tutorials
Compaq C Run-Time Library Reference Manual for OpenVMS Systems
Back to
OpenVMS
Back
to Home