OpenVMS Notes: SSL/TLS, etc.

Edit: 2014-03-22 (a few grammatical corrections)

(a very simple) Introduction to SSL/TLS (for VMS people)

1. SSL (secure sockets layer) is a communication protocol created by Netscape in 1994 to implement secure and encrypted web transactions on port 443 (the standard unencrypted port is 80).
    
2. SSL went through three revisions (numbered SSL-1 to SSL-3) but the fourth revision was so important that the name was changed to TLS (transport layer security) even though many people today think of TLS1 as SSL-4 (or SSL-3.1 at the very least). From a programmer's view, some of the API names and data structures for the TLS stack have been changed. This was done so new SSL applications are unable to accidentally link to the older libraries. BTW, the TLS stack can fall back to support SSL connections during the initial handshake.
   
   Comment: There is another reason for changing the API and the story starts with an unintentional security bug. Before the sale of Netscape to AOL in 1999, Netscape published much of their source code into the Mozilla Project (an open source site). A short time later, a paranoid programmer at company identity deleted modified the SSL library so it would would execute a random number function three additional times during session-key generation. Rumor has it that he mistakenly used a "long" variable rather than a "long long" variable which had the unintended effect of reducing the effective key size by 50% and the effective key space by 75%. This code was then published through the Mozilla Project and no one knows how much code escaped into the wild. Shortly after this revelation was made, many software publishers quickly realized it was better to introduce security changes cooperatively through the IETF (Internet Engineering Task Force) where more eyes get to see the code before it is published. The TLS stack represents the fruit of IETF efforts. (e.g. TLS is an IETF standards track protocol)
    
   
3. SSL/TLS is now used in many other places like communicating with a POP3 server over port 995 (the default unsecure POP3 port is 110) or FTPS (FTP over SSL)
    
   p.s. if you support TLS1 then do not need a special port. Some ISPs allow you to connect to SMTP port 25 using either clear-text or TLS1 encryption. The reason for this is that a TLS1 handshake always begins with clear-text then switches over to encryption with "Client Hello"
    
   
4. Server authentication is one way that a client can ensure the server is who it claims to be.
    
5. Client authentication (optional) is one way that a server can ensure the client system is who it claims to be.

On an OpenVMS system you could find SSL in two (or more) locations depending upon your setup:

1. Under Apache/SWS (Secure Web Server) if you have installed it (SSL/TLS is baked-into the product) This application has its own CERT TOOL.
   
   Use this method to display the SSL software used by your web server:
   

   Legend:	<ur> = user response
   	<sr> = system response
   -------------------------------------------------------------------------
   <sr> $									! my prompt
   <ur> telnet www.bellics.net 80<enter>					! telnet to server on port 80
   <sr> %TCPWARE_TELNET-I-TRYING, trying bellics.com,http (207.35.137.66,80) ...
        %TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^\"
   <ur> HEAD / HTTP/1.0<enter>						! request HEAD of default document using HTTP/1.0
        <enter>								! a blank line ends the HTTP header (tells server to start)
   <sr> HTTP/1.1 200 OK							! server answers with "I can do HTTP/1.1" and "success"
        Date: Fri, 22 Jun 2012 23:02:15 GMT				! server current date + time
        Server: Apache/2.0.63 (OpenVMS) mod_ssl/2.0.63 OpenSSL/0.9.8h	! server type and feature list
        Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT			! requested page modified at this date/time
        ETag: "c357e-3dc-dd296fc0"						!
        Accept-Ranges: bytes						! server can accept bytes
        Connection: close							! connection closed because we requested HTTP/1.0
        Content-Type: text/html						! requested page is in HTML format

2. As a standalone SSL package (if you installed it; it is automatically installed with OpenVMS 8.3 and higher). This application has its own CERT TOOL.
    
   Use this DCL command to check for it on your system:
   

   $product show product ssl
   
   ------------------------------------ ----------- ---------
   PRODUCT                              KIT TYPE    STATE
   ------------------------------------ ----------- ---------
   HP AXPVMS SSL V1.4-453               Full LP     Installed
   ------------------------------------ ----------- ---------

   On OpenVMS 8.x the ciphers built into OpenSSL are now also used for things like "validation of patch kits" as well as "encrypting backup save sets" to only name two of many possibilities. But the primary purpose of this package is to provide SSL/TLS capabilities for your client software. It also provides command line tools to help technical people debug SSL connections to remote servers.
    
3. I just mentioned that both Apache on OpenVMS and OpenSSL on OpenVMS have their own CERT TOOL. By default, they also have their own CERTIFICATES and this might not be what you want. I ran into some problems in 2012 involving an SSL-based gSOAP application which employed the PUSH-PUSH method (remote client uses HTTPS to push requests to a gSOAP module on my Apache server which immediately returns an HTTPS response; Some time later, my client uses HTTPS to push a REPLY back to the requesting server and expects an immediate HTTPS response; Initially I was using two different certificate caches (and SSL engines) which caused security people at the remote end to raise an eyebrow or two). Here is an HP-recommended method to have both subsystems use the same certificates on OpenVMS systems:
    
   
   1. all "our" production certificate files are located in this read-only directory:
          sys$sysdevice:[certificates]
   2. a logical name is defined (in script sys$manager:systartup_vms.com) to reference the certificate directory:
          $define/system  vms_cert_dir  sys$sysdevice:[certificates]
   3. Apache config files like apache$common[.conf]ssl.conf need to reference this logical name
   4. before experimenting with the certificate tools in directory SSL$COM you might consider copying production certificates to SSL$CERTS which usually points here:
          ssl$root:[000000.democa.certs]
   5. while certificates can be generated directly from OpenSSL CLI, DCL scripts provided HP are less prone to error. If you use these scripts then make sure you modify all instances of 365 days to 3650 days or you'll drive your users crazy. Even if you don't change all the scripts, make sure you modify the self-signed script: OPENSSL_SELF_CERT.COM

   Of course individual VMS users may still use personalized certificates stored in their local directories.

1. The CERT TOOL under the standalone SSL product can also be used to create documents for Apache 
   • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch03s04.html#d0e2028
      
2. Both CERT TOOLS are written in DCL scripts but call the OpenSSL CLI (command line interface).
    
   Caveat: I think Compaq made a huge mistake by hiding OpenSSL CLI in this fashon and suggest everyone learn how to use the tool directly. Why?
   1. You never know when you will find yourself doing SSL work on another OS with no DCL script to help you (think about your kid learning how to ride a bicycle with training wheels).
   2. Not all subcommands are available from the DCL script. For example, OpenSSL s_client is invaluable for debugging connections to other systems while OpenSSL s_server can be used by programmers to test newly written SSL-based client software. These two utilities are described below.
       
3. Why have two versions of SSL on your system? As mentioned earlier, the equivalent of HP-OpenSSL-1.3 is baked-into Apache 2.1 and used by anything served-up by Apache (secure web page, secure soap service, etc.). But what if you need a standalone SSL client (gSOAP, POP3, SMTP, HTTPS) to communicate with a distant SSL-based server? This compiled application is linked to the SSL run-time libraries associated with the standalone OpenSSL package.
    
   
4. Note that Apache 2.2 for OpenVMS contains a baked-in version of SSL which is closer to HP-OpenSSL-1.4
    
5. On 2012-02-14 I realized that the command OpenSSL s_client does not work properly with OpenVMS kit HP-OpenSSL-1.4-453
   • Symptom: After using the s_client to successfully make a secure connection (which works), sending data through the secure connection appears to work but you are unable to view the response.
   • The bug is found in all versions starting with HP-OpenSSL-1.2 (December 2004) and running through HP-OpenSSL-1.4-467 (June 2012). Eight years and counting. Yikes!
   • The bug is not found on CPQ-OpenSSL-1.1B
   • The bug only affects Alpha and Itanium since there were no official SSL releases for VAX after CPQ-OpenSSL-1.1B
   • All CLI examples listed ~50 lines below this point do work with OpenSSL implementations on: Linux, Macintosh OS-X, Solaris, Windows but not OpenVMS
   • The problem was reported to HP in March 2012 but their latest kit (June 2012) still contains the bug and it looks like this will not be fixed until 2013.
   • Excerpt from 2006 manual: HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS
     • http://h71000.www7.hp.com/doc/83final/ba554_90007/rn01re25.html (page title: s_client)
     • quote from section: Restrictions

       "Because this program has a lot of options and also because some of the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler"

     • comment: I can certainly empathize with HP on this statement; the open-source author of s_client.c should be shot for producing something which would have been rejected by every introductory programing course (many people claim it is difficult to write spaghetti logic in "C"; this program is proves it is easy). To make matters worse, this program underwent subsequent feature development without any programmers doing a code cleanup (probably everyone threw up their hands in bewilderment). Now this program is so big and ugly that it appears nearly impossible to do a rewrite without breaking something.
   • I suspect that no customers reported this bug until now because most people use the HP-provided DCL scripts rather than directly accessing the OpenSSL CLI
   • Click here for more information including how to build your own fix (requires a C compiler and HP's SSL Source Code Kit)
      
     
6. On 2013-03-07 HP released HP-OpenSSL-1.4-471 and it appears that OpenSSL s_client now works properly. Kudos to HP.

Hacking (learning) with the OpenSSL CLI/CLU (part 1)

The OpenSSL CLI/CLU (command line interpreter/command line utility) exists for the following reasons:

1. Testing client-server connectivity
   1. can you connect at all?
   2. is there an SSL handshake after you connect?
   3. is there something wrong with the far-end server certificate?
   4. is the far-end server requesting a client certificate but you have not defined one at the near-end client?
   5. are near-end certificates usable?
   6. is your client trusted certificate chain usable?
   7. is a cipher missing?
       
2. As a teaching tool
   • use OpenSSL s_client to connect to Google or Twitter
   • use OpenSSL s_client to connect to your Apache web server
   • put two OpenSSL platforms end-to-end; one running OpenSSL s_server while the other running OpenSSL s_client
   • if you are on a really tight budget, run the client and server sessions from two different command-line sessions on the same computer system
      
3. Proves that the underlying SSL library routines are functional (your SSL-based client software will link to the OpenSSL libraries; if the CLI programs work properly and your client software does not, then the problem most likely exists in your code)
    
4. As a tool to test client (or server) software you just wrote
    
5. CLI source code, as well as the example programs, can be used to teach you how to write an SSL program (although s_server.c and s_client.c are in horrible shape and whoever wrote s_client.c should be shot (or at least endure the public embarrassment of a code review))
   

Official OpenSSL Documentation:

• http://www.openssl.org/docs/
• http://www.openssl.org/docs/HOWTO/ (read the files)
• http://www.openssl.org/docs/ssl/ssl.html (programmer SSL library descriptions)

• http://www.openssl.org/docs/apps/openssl.html (general help on the OpenSSL CLI)
• http://www.openssl.org/docs/apps/s_server.html (server specific help)
• http://www.openssl.org/docs/apps/s_client.html (client specific help)

HP OpenSSL Documentation

• http://h71000.www7.hp.com/openvms/products/ssl/ssl.html

A few one-liner examples:

Notes:
  1) in VMS/DCL, you must quote upper-case or mixed-case parameters like -CApath , -CAfile , -WWW
  2) in VMS/DCL, comments begin with an exclamation (!)
  3) in VMS/DCL, you continue a line by ending with a dash (-)
  4) legend: <ur> = user response
             <sr> = system response

OpenSSL interactive help:

<sr> $					! my DCL prompt
<ur> openssl				! drop into the openssl cli application
<sr> OPENSSL>				! application prompt
<ur> ?					! request help
<sr> ...help is displayed...		!
     OPENSSL>				! application prompt
<ur> exit				! exit to DCL
<sr> $					! my DCL prompt
----------------------------------------
<sr> ?					! my DCL prompt
<ur> openssl          ?			! general openssl help from DCL
<sr> ...help is displayed...
     $					! my DCL prompt
----------------------------------------
<sr> $					! my DCL prompt
<ur> openssl s_client ?			! client specific help
<sr> ...s_client help is displayed...
     $					! my DCL prompt
----------------------------------------
<sr> $					! my DCL prompt
<ur> openssl s_server ?			! server specific help
<sr> ...s_server help is displayed...
     $					! my DCL prompt

OpenSSL client examples (public sites like Twitter and Google)

Notes:

1. here we use -no_tls1 because tls1 is much more strict than ssl2 and ssl3 and we want a little leniency right now (on top of this, my OpenVMS platforms only use self-signed certificates and tls1 doesn't like them at all)
    
2. Caveats:
   1. the following examples are for a machines directly connected to the internet. Firewalls and proxy servers present different challenges. 
   2. if the following commands do not work on your OpenVMS system then check out this warning

<sr>	$									! my DCL prompt
<ur>	openssl s_client -connect www.twitter.com:443 -no_tls1			! connect to Twitter (no TLS1)
<sr>	...handshake verbage...							! bla...bla...bla...
	---									! your intermediate ssl prompt
<ur>	GET / HTTP/1.0<enter>							! get default document; use HTTP 1.0
	<enter>									! signal end of HTTP header
<sr>	HTTP/1.0 200 OK								! response
	Date: Fri, 22 Jun 2012 23:16:38 GMT					!
	Status: 200 OK								!
	Pragma: no-cache							!
	Content-Type: text/html; charset=utf-8					!

<sr>	$									!
<ur>	openssl s_client -connect www.google.com:443 -no_tls1			! connect to Google (no TLS1)
<sr>	...handshake verbage...							! bla...bla...bla...
	---									! your intermediate ssl prompt
<ur>	GET / HTTP/1.0<enter>							! get default document; use HTTP 1.0
	<enter>									! signal end of HTTP header
<sr>	HTTP/1.0 302 Found							! 302 = moved (oops, they don't like HTTP/1.0)
	Location: https://www.google.ca/
	Cache-Control: private
	Content-Type: text/html; charset=UTF-8
	Set-Cookie: expires=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; domain=www.google.com

<sr>	$									!
<ur>	openssl s_client -connect www.google.ca:443 -no_tls1			! connect to Google (no TLS1)
	...handshake verbage...							! bla...bla...bla...
	---									! your intermediate ssl prompt
<ur>	GET / HTTP/1.1<enter>							! okay so let's try HTTP/1.1
	host: www.google.ca:443<enter>						! need this line for HTTP/1.1
	<enter>									! signal end of HTTP header 
<sr>	HTTP/1.1 200 OK								!
	Set-Cookie: NID=61=H7WfG9OQ6uHDvVU8OJyt_Z4x8a4cj0DUpLUfH9D9eeKVou1FwaP8ok16
	vDlgV3sX1JPzrd3G8tNc3mDgbdPZy8mGnmpKJ3WCKHVT6gbCV8Z56rKIVgXokgJkptJZ-i00;
	expires=Sat, 22-Dec-2012 22:51:17 GMT; path=/; domain=.google.ca; HttpOnly
	Date: Fri, 22 Jun 2012 22:51:17 GMT
	Expires: -1
	Cache-Control: private, max-age=0
	Content-Type: text/html; charset=ISO-8859-1
	Set-Cookie: PREF=ID=3ba285f540771657:FF=0:TM=1340405477:LM=1340405477:S=TpABG903GxV7Ufhg; expires=Sun, 22-Jun-2014 22:51:17 GMT; pat
	h=/; domain=.google.ca
	Set-Cookie: NID=61=H7WfG9OQ6uHDvVU8OJyt_Z4x8a4cj0DUpLUfH9D9eeKVou1FwaP8ok16vDlgV3sX1JPzrd3G8tNc3mDgbdPZy8mGnmpKJ3WCKHVT6gbCV8Z56rKIV
	gXokgJkptJZ-i00; expires=Sat, 22-Dec-2012 22:51:17 GMT; path=/; domain=.google.ca; HttpOnly
	P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
	Server: gws
	X-XSS-Protection: 1; mode=block
	X-Frame-Options: SAMEORIGIN
	Transfer-Encoding: chunked

	1000									! byte count of chunked data block
	[...snip...]

<sr>	$									!
<ur>	openssl s_client -connect www.bell.ca:443 -showcerts			! connect to google.ca
<sr>	CONNECTED(00000005)
	depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated 
	by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification 
	Authority - L1C
	verify error:num=20:unable to get local issuer certificate
	verify return:0
	---
	Certificate chain							!
	0 s:/C=CA/ST=Ontario/L=Mississauga/O=Bell Canada/CN=mybell.bell.ca	! Level 0: sourced by Google
	  i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by	!	   issued: by Entrust 
		reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification	!
		Authority - L1C							!
	-----BEGIN CERTIFICATE-----
	MIIIXDCCB0SgAwIBAgIETB0YBDANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
	VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
	[...snip...]								! chopped out
	qXpNDaiIq2kB9USHxlXOeSWS5+QLHXZ/6x0WLdDqmHJD2HH98KiRgLlLYS9G+LN8
	lPhvtxyDy+EMtnCQl1u4MbNaQsPsk/D9OFYcGjkr0IM=
	-----END CERTIFICATE-----
	1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated 	! Level 1: source by Entrust
		by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust 		!
		Certification Authority - L1C					!
	  i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.		!	   issued by Entrust
		(limits liab.)/OU=(c) 1999 Entrust.net Limited
		/CN=Entrust.net Certification Authority (2048)
	-----BEGIN CERTIFICATE-----
	MIIE8jCCA9qgAwIBAgIEOGPp/DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
	RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
	[...snip...]								! chopped out
	PFS+/i/qaZ0cHimbltjI/lGQ8SSmkAaz8Cmi/3gud1xFIdlEADHzvjJP9QoyDfz8
	uhZ2VrLWSJLyi6Y+t6xcaeoLP2ZFuQ==
	-----END CERTIFICATE-----
	---
	Server certificate
	subject=/C=CA/ST=Ontario/L=Mississauga/O=Bell Canada/CN=mybell.bell.ca
	issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference
	/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
	---
	No client certificate CA names sent
	---
	SSL handshake has read 3586 bytes and written 489 bytes
	---
	New, TLSv1/SSLv3, Cipher is AES256-SHA
	Server public key is 2048 bit
	Secure Renegotiation IS supported
	Compression: NONE
	Expansion: NONE
	SSL-Session:
	Protocol : TLSv1
	Cipher : AES256-SHA
	Session-ID: 20D6EC9351E887BBFF62FB85E62A4C6746B9A1F591A1927A7D5116EF6325135B
	Session-ID-ctx: 
	Master-Key: 1AD1EA1B547DF1F44F500384D87141B939AC17578316540EB1AEAD108A3B6F30
	34AD91CB510F21BAD2C9DE982AB6815A
	Key-Arg : None
	Start Time: 1344262653
	Timeout : 300 (sec)
	Verify return code: 20 (unable to get local issuer certificate)
	---
<ur>	<ctrl-y>								!
<sr>	Interrupt								!
	$									!

OpenSSL client examples connecting to my Apache webserver (listening at 142.180.221.226:443)

<ur>	openssl s_client -connect 142.180.221.226:443 -showcerts		! what far-end certificates are available?

<ur>	openssl s_client -connect 142.180.221.226:443 -debug			! show more info hex and ASCII

<ur>	openssl s_client -connect 142.180.221.226:443 -state			! show ssl state transitions 

Note: after anyone of these commands, type the following:

<ur>	GET / HTTP/1.0<enter>							! get default document using HTTP/1.0
	<enter>									! signal end of HTTP header

<ur>	define/sys  vms_cert_dir  sys$sysdevice:[certificates]			! every vms system needs one of these 

<ur>	openssl s_client -connect 142.180.221.226:443	-			!
		-cert vms_cert_dir/client.crt		-			! for optional client verification
		-key vms_cert_dir/client.key					! for optional client verification

<ur>	openssl s_client -connect 142.180.221.226:443	-			!
		-cert vms_cert_dir/client.pem					! key + crt inside of pem

<ur>	openssl s_client -connect 142.180.221.226:443	-
		-cert vms_cert_dir/client.crt		-
		-key vms_cert_dir/client.key		-
		-tls1								! only use TLS1 encryption

Note: after anyone of these commands, type the following:

<ur> GET / HTTP/1.0<enter>							! get default document using HTTP/1.0
     <enter>									! signal end of HTTP header

OpenSSL client examples connecting to SSL$SIMPLE_SERV.C  (listening at 142.180.39.15:5555)

<ur>	openssl s_client -connect 142.180.39.15:5555 -debug			! negotiate for the best encryption

<ur>	openssl s_client -connect 142.180.39.15:5555 -state			! watch SSL change states

<ur>	openssl s_client -connect 142.180.39.15:5555 -tls1 -debug		! use TLS1 encryption

<ur>	openssl s_client -connect 142.180.39.15:5555 -ssl3 -debug		! use SSL3 encryption

<ur>	openssl s_client -connect 142.180.39.15:5555 -ssl2 -debug		! use SSL2 encryption

<ur>	openssl s_client -connect 142.180.39.15:5555	-			!
		-cert vms_cert_dir/client.pem		-			! PEM files require a HASH file
		"-CAfile" vms_cert_dir/client_ca.pem	-			! list of trusted certificates
		"-CApath" vms_cert_dir						! quote mixed case params in VMS

OpenSSL client/server examples:

1. the client and server programs do not need to reside on different machines but it is more fun if they do (one or more PCs also work)
    
2. if connecting to the same machine, address "127.0.0.1" will work most all the time except in the case of the TLS protocol which contains additional security (with TLS just use the FQDN or true I/P address)

Server:

<ur>	openssl s_server -accept 5000		-
		-cert vms_cert_dir/server.crt	-
		-key vms_cert_dir/server.key	-
		-debug				-
		-www								! barely simulate a webserver
<sr>	Using default temp DH parameters
	Using default temp ECDH parameters
	ACCEPT

Client:

<ur>	openssl s_client -connect 142.180.39.15:5000 -debug			! will connect to server
<sr>	...handshake verbage...							! bla...bla...bla...
<ur>	GET / HTTP/1.0<enter>							! request default page containing stats
	<enter>									! signal end of HTTP header

Server:

<ur>	set default sys$login							! run these tests from your sys$login directory
<sr>	$
<ur>	create neil.txt								! create a small text file
	this is sample text<ctrl-z>						! place text in the file
<sr>	$									!
<ur>	openssl s_server -accept 5000		-
		-cert vms_cert_dir/server.crt	-
		-key vms_cert_dir/server.key	-
		-debug				-
		-"WWW"								! simulate a better webserver
<sr>	Using default temp DH parameters
	Using default temp ECDH parameters
	ACCEPT

Client:

<ur>	openssl s_client -connect 142.180.39.15:5000	-
		-cert vms_cert_dir/client.crt		-
		-key vms_cert_dir/client.key		-			! will connect to server
<sr>	...handshake verbage...							! bla...bla...bla...
<ur>	GET /neil.txt HTTP/1.0<enter>						! request file "neil.txt"
	<enter>									! signal end of HTTP header
<sr>	HTTP 200 (OK)
	...header verbage...
       
	this is sample text							! presto

Server:

<ur>	set default sys$login							! run these tests from your sys$login directory
<sr>	$
<ur>	type neil.txt								! make sure test file exists
<sr>	this is sample text
	$									!
<ur>	openssl s_server -accept 5000		-
		-cert vms_cert_dir/server.crt	-
		-key vms_cert_dir/server.key	-
		-debug				-
		-"WWW"				-				! simulate a better webserver
		-"Verify" 9							! force client to require a certificate
<sr>	verify depth is 9, must return a certificate
	Using default temp DH parameters
	Using default temp ECDH parameters
	ACCEPT 

Client:

<ur>	openssl s_client -connect 142.180.39.15:5000	-
		-cert vms_cert_dir/client.crt		-
		-key vms_cert_dir/client.key		-			! will connect to server
<sr>	...handshake verbage...							! bla...bla...bla...
<ur>	GET /neil.txt HTTP/1.0<enter>						! request file "neil.txt"
	<enter>									! signal end of HTTP header
<sr>	HTTP 200 (OK)
	...header verbage...
       
	this is sample text							! presto
<ur>	openssl s_client -connect 142.180.39.15:5000				! reconnect "without any certs"
<sr>	CONNECTED(00000005)
	depth=0 /C=CA/ST=ON/L=KITCHENER/O=BELL CANADA/OU=BELL-ATS/CN=www.bellics.com/emailAddress=neil@bellics.com
	verify error:num=18:self signed certificate				! this is not really an error
	verify return:1
	depth=0 /C=CA/ST=ON/L=KITCHENER/O=BELL CANADA/OU=BELL-ATS/CN=www.bellics.com/emailAddress=neil@bellics.com
	verify return:1
	262761:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:S3_PKT:1102:SSL alert number 40
	262761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:S23_LIB:182:

Server:

<sr>	...verbage...
	261215:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:S3_SRVR:2611:
	ACCEPT									! waiting for another transaction

OpenSSL advanced and obscure stuff

<ur>	openssl ciphers									! what ciphers are available?
<sr>	DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:
	DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-
	CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:
	AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:DHE-RSA-CAMELLIA128
	-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC2-CBC-MD5:DHE-DSS-RC4-SHA:
	RC4-SHA:RC4-MD5:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:E
	DH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DH
	E-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC
	-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-
	MD5
<sr>	openssl s_client -connect www.google.ca:443 -cipher "RC4-SHA"			! connect to Google using the RED cipher
	...handshake verbage...								! bla...bla...bla...

Creating/using a trusted client chain (add remote cert to local cache)

Note: This is similar to what happens when you import a certificate into your browser

<sr>	$										! my prompt
<ur>	set def sys$login								! start in home location
<sr>	$										!
<ur>	openssl s_client -connect kawc09.on.bell.ca:443	-				! connect to development platform
		-state -showcerts							! (without any local certificate)
<sr>	CONNECTED(00000005)
	SSL_connect:before/connect initialization
	SSL_connect:SSLv2/v3 write client hello A
	SSL_connect:SSLv3 read server hello A
	depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	verify error:num=18:self signed certificate		<<<--- oops (let's fix this)
	verify return:1
	depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	verify return:1
	SSL_connect:SSLv3 read server certificate A
	SSL_connect:SSLv3 read server key exchange A
	SSL_connect:SSLv3 read server done A
	SSL_connect:SSLv3 write client key exchange A
	SSL_connect:SSLv3 write change cipher spec A
	SSL_connect:SSLv3 write finished A
	SSL_connect:SSLv3 flush data
	SSL_connect:SSLv3 read finished A
	---
	Certificate chain
	0 s:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	i:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC
	Y2ExEDAOBgNVBAgTB09udGFyaW8xEjAQBgNVBAcTCUtpdGNoZW5lcjEUMBIGA1UE
	ChMLQmVsbCBDYW5hZGExETAPBgNVBAsTCEJlbGwtQVRTMRowGAYDVQQDExFrYXdj
	MDkub24uYmVsbC5jYTElMCMGCSqGSIb3DQEJARYWbmVpbEBrYXdjMDkub24uYmVs
	bC5jYTAeFw0xMjAyMTUxMzE4NThaFw0yMjAyMTIxMzE4NThaMIGfMQswCQYDVQQG
	EwJjYTEQMA4GA1UECBMHT250YXJpbzESMBAGA1UEBxMJS2l0Y2hlbmVyMRQwEgYD
	VQQKEwtCZWxsIENhbmFkYTERMA8GA1UECxMIQmVsbC1BVFMxGjAYBgNVBAMTEWth
	d2MwOS5vbi5iZWxsLmNhMSUwIwYJKoZIhvcNAQkBFhZuZWlsQGthd2MwOS5vbi5i
	ZWxsLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtQLWBevmVYTkd1mWy
	e6lALLkf4HmdTeAUhAcuOmEoQhVwt1KLWN2HIDVqxpJUw9V939L2VV9A5AnM7g/k
	1SlN/mCAY8yGvr0J+EGGRTo/vP+ATjWskk4ZdBQ1vGIdalYhH8jWYSu35eoDwdTw
	8yFwVPFWs36+Ip8RhklF+RtvCQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACHXO9bv
	flBot9a7rSQ0BvylijGZ7L3KkA9To1ecVawh99zNAFha7paM7syIGsYsFKjgkOgR
	S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti
	zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn
	-----END CERTIFICATE-----
	subject=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	issuer=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1270 bytes and written 361 bytes
	---
	New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
	Server public key is 1024 bit
	Secure Renegotiation IS supported
	Compression: NONE
	Expansion: NONE
	SSL-Session:
	Protocol : TLSv1
	Cipher : DHE-RSA-AES256-SHA
	Session-ID: DE5C43E6C8B445FCDA60894A08650E5B19D1E99DAF3F70D2661EE60956001CF1
	Session-ID-ctx: 
	Master-Key: CFF329BE8FFF7B8FD7E6201B16F1AC3663EFF5633CDDD6EA52C79ED4A5C1A7A1F796DECCD77FCD21D497DC2021402118
	Key-Arg : None
	Start Time: 1343864769
	Timeout : 300 (sec)
	Verify return code: 18 (self signed certificate)			<<<---oops (let's fix this)
	---
<ur> <ctrl-Y>										! we're done so hit <ctrl-Y> 
<sr> INTERRUPT
	$
<ur> cre xxx_kawc09.crt									! create a file (xxx = external)
	-----BEGIN CERTIFICATE-----							! this was pasted in from above
	MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC
	Y2ExEDAOBgNVBAgTB09udGFyaW8xEjAQBgNVBAcTCUtpdGNoZW5lcjEUMBIGA1UE
	ChMLQmVsbCBDYW5hZGExETAPBgNVBAsTCEJlbGwtQVRTMRowGAYDVQQDExFrYXdj
	MDkub24uYmVsbC5jYTElMCMGCSqGSIb3DQEJARYWbmVpbEBrYXdjMDkub24uYmVs
	bC5jYTAeFw0xMjAyMTUxMzE4NThaFw0yMjAyMTIxMzE4NThaMIGfMQswCQYDVQQG
	EwJjYTEQMA4GA1UECBMHT250YXJpbzESMBAGA1UEBxMJS2l0Y2hlbmVyMRQwEgYD
	VQQKEwtCZWxsIENhbmFkYTERMA8GA1UECxMIQmVsbC1BVFMxGjAYBgNVBAMTEWth
	d2MwOS5vbi5iZWxsLmNhMSUwIwYJKoZIhvcNAQkBFhZuZWlsQGthd2MwOS5vbi5i
	ZWxsLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtQLWBevmVYTkd1mWy
	e6lALLkf4HmdTeAUhAcuOmEoQhVwt1KLWN2HIDVqxpJUw9V939L2VV9A5AnM7g/k
	1SlN/mCAY8yGvr0J+EGGRTo/vP+ATjWskk4ZdBQ1vGIdalYhH8jWYSu35eoDwdTw
	8yFwVPFWs36+Ip8RhklF+RtvCQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACHXO9bv
	flBot9a7rSQ0BvylijGZ7L3KkA9To1ecVawh99zNAFha7paM7syIGsYsFKjgkOgR
	S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti
	zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn
	-----END CERTIFICATE-----
	<ctrl-z>									! hit <ctrl-z> to exit
<sr>	Exit
<ur>	copy xxx_kawc09.crt vms_cert_dir						! copy file to our cert directory
<sr>	$
<ur>	set def vms_cert_dir								! now move over there
<sr>	$
<ur>	dir client_ca.pem								!
<sr>	%DIRECT-W-NOFILES, no files found
<ur>	copy xxx_kawc09.crt client_ca.pem						! copy cert into new PEM
		or									! or
	copy client_ca.pem, xxx_kawc09.crt client_ca.pem				! append cert onto existing PEM
<sr>	$
<ur>	openssl x509 -hash -noout -in client_ca.PEM					! compute hash of pem
<sr>	1132507a
<ur>	copy client_ca.PEM 1132507a.0							! create a hash file with '.0' extension
<sr>	$
<ur>	openssl verify "-CApath" vms_cert_dir -verbose -purpose any client_ca.PEM	! test the PEM-hash combo
<sr>	client_ca.pem: OK								! looks good
<ur>	set def sys$login:								! back to our home directory
<sr>	$										!
<ur>	openssl s_client -connect kawc09.on.bell.ca:443 -state	-			! connect to development platform
		-cert vms_cert_dir/kawc96.crt			-			!
		-key vms_cert_dir/kawc96.key			-			!
		-"CAfile" vms_cert_dir/client_ca.PEM					! but reference trusted cert chain
<sr>	CONNECTED(00000005)
	SSL_connect:before/connect initialization
	SSL_connect:SSLv2/v3 write client hello A
	SSL_connect:SSLv3 read server hello A
	depth=0 /C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	verify return:1									<<<--- cool (fixed)
	SSL_connect:SSLv3 read server certificate A
	SSL_connect:SSLv3 read server key exchange A
	SSL_connect:SSLv3 read server done A
	SSL_connect:SSLv3 write client key exchange A
	SSL_connect:SSLv3 write change cipher spec A
	SSL_connect:SSLv3 write finished A
	SSL_connect:SSLv3 flush data
	SSL_connect:SSLv3 read finished A
	---
	Certificate chain
	0 s:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	i:/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIICtzCCAiACCQCOJDXcN8BI4TANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMC
	Y2ExEDAOBgNVBAgTB09udGFyaW8xEjAQBgNVBAcTCUtpdGNoZW5lcjEUMBIGA1UE
	ChMLQmVsbCBDYW5hZGExETAPBgNVBAsTCEJlbGwtQVRTMRowGAYDVQQDExFrYXdj
	MDkub24uYmVsbC5jYTElMCMGCSqGSIb3DQEJARYWbmVpbEBrYXdjMDkub24uYmVs
	bC5jYTAeFw0xMjAyMTUxMzE4NThaFw0yMjAyMTIxMzE4NThaMIGfMQswCQYDVQQG
	EwJjYTEQMA4GA1UECBMHT250YXJpbzESMBAGA1UEBxMJS2l0Y2hlbmVyMRQwEgYD
	VQQKEwtCZWxsIENhbmFkYTERMA8GA1UECxMIQmVsbC1BVFMxGjAYBgNVBAMTEWth
	d2MwOS5vbi5iZWxsLmNhMSUwIwYJKoZIhvcNAQkBFhZuZWlsQGthd2MwOS5vbi5i
	ZWxsLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtQLWBevmVYTkd1mWy
	e6lALLkf4HmdTeAUhAcuOmEoQhVwt1KLWN2HIDVqxpJUw9V939L2VV9A5AnM7g/k
	1SlN/mCAY8yGvr0J+EGGRTo/vP+ATjWskk4ZdBQ1vGIdalYhH8jWYSu35eoDwdTw
	8yFwVPFWs36+Ip8RhklF+RtvCQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACHXO9bv
	flBot9a7rSQ0BvylijGZ7L3KkA9To1ecVawh99zNAFha7paM7syIGsYsFKjgkOgR
	S/To2pITuhif+f7Mec4qU/SDUXpj6Se/tJE9TjE2Mc5edTUmgX3amMpYUnQwBHti
	zQb9M8XXRU0RwBHZgqOYk/amVFeVCVFxw9jn
	-----END CERTIFICATE-----
	subject=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	issuer=/C=ca/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1270 bytes and written 361 bytes
	---
	New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
	Server public key is 1024 bit
	Secure Renegotiation IS supported
	Compression: NONE
	Expansion: NONE
	SSL-Session:
	Protocol : TLSv1
	Cipher : DHE-RSA-AES256-SHA
	Session-ID: 96B7F72BDCCB65C8040BD1DFE714989D87F966D000AB7ED9CDD9AEF5FD4EAE89
	Session-ID-ctx: 
	Master-Key: 7737874E462FAFD277E6541BD2608070BEBB15393D6897125F1DF8A10AC3AE24D5FD65BA0F909F9576A04856345BB6EE
	Key-Arg : None
	Start Time: 1343865022
	Timeout : 300 (sec)
	Verify return code: 0 (ok)					<<<---cool (fixed)
	---
<ur>	<ctrl-y>
<sr>	Interrupt
	$  

Example 'C' Programs from HP

Directory SYS$COMMON:[SYSHLP.EXAMPLES.SSL]

Filename                         Size Notes
-------------------------------- ---- ----------------------------------------------------------------------
SSL$SIMPLE_CLI.C;1                18  Simplest SSL Client (SSL and socket without BIO)
SSL$SIMPLE_SERV.C;1               17  Simplest SSL Server (SSL and socket without BIO)

SSL$BIO_CLI.C;1                   18  Simplest SSL Client + "Socket BIO"
SSL$BIO_SERV.C;1                  18  Simplest SSL Server + "Socket BIO"

SSL$CLI_VERIFY_CLIENT.C;1         18  "Socket BIO" + "client certificate verification"
SSL$SERV_VERIFY_CLIENT.C;1        18  "Socket BIO" + "client certificate verification"

SSL$CLI_SESS_RENEGO.C;1           22  "Socket BIO" + "SSL Renegotiation
SSL$SERV_SESS_RENEGO.C;1          23  "Socket BIO" + "SSL Renegotiation"

SSL$CLI_SESS_RENEGO_CLI_VER.C;1   22  "Socket BIO" + "client certificate verification" + "SSL Renegotiation"
SSL$SERV_SESS_RENEGO_CLI_VER.C;1  23  "Socket BIO" + "client certificate verification" + "SSL Renegotiation"

SSL$CLI_SESS_REUSE.C;1            20  "Socket BIO" + "Session Reuse (Resumption)"
SSL$SERV_SESS_REUSE.C;1           18  "Socket BIO" + "Session Reuse (Resumption)"

SSL$CLI_SESS_REUSE_CLI_VER.C;1    24  "Socket BIO" + "client certificate verification"
SSL$SERV_SESS_REUSE_CLI_VER.C;1   27  "Socket BIO" + "client certificate verification"

SSL$TCP_CLIENT_QIO_SSL.C;1        34  TCP/IP Client using the Queued I/O System Service
SSL$TCP_SERVER_QIO_SSL.C;1        44  TCP/IP Server using the Queued I/O System Service

SSL$AES.C;1                       20  Advanced Encryption Standard
SSL$SHA1_MD5.C;1                  16  uses SSL crypto library SHA1 or MD5 message digest

Just for fun, enter this DCL command:

        $dif  SSL$BIO_CLI.C  SSL$SIMPLE_CLI.C  /par/ignore=(white,case)

Not much difference between these two programs, eh?

Getting Familiar with SSL Programming on OpenVMS-7.3-2

Caveat: the following work needs to be repeated with the new HP SSL Version 1.4 (2012) which is not compatible with HP SSL Version 1.3 and earlier. But I suspect a simple recompile and link is all that is required. I'll get back here sometime in 2013.

Caveat: you need a "C" compiler to build the following executables
Legend: <ur> = user response
        <sr> = system response

<sr>	$
<ur>	set def SSL$EXAMPLES							! we are now located somewhere under SYS$HELP
<sr>	$
<ur>	edit SSL$SIMPLE_SERV.C							! to inspect the build instructions then exit

Note: the following instructions are for 32-bit apps

<sr>	$
<ur>	cre VMS_DECC_OPTIONS.OPT
	SYS$LIBRARY:SSL$LIBCRYPTO_SHR.EXE/SHARE
	SYS$LIBRARY:SSL$LIBSSL_SHR.EXE/SHARE
	<ctrl-Z>
<sr>	$
<ur>	CC/POINTER_SIZE=32/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL$SIMPLE_SERV.C	! build simple server
<sr>	$
<ur>	link SSL$SIMPLE_SERV.obj, VMS_DECC_OPTIONS.OPT/OPT
<sr>	$
<ur>	CC/POINTER_SIZE=32/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL$SIMPLE_CLI.C	! build simple client
<sr>	$
<ur>	link SSL$SIMPLE_CLI.obj, VMS_DECC_OPTIONS.OPT/OPT
<sr>	$
<ur>	run SSL$SIMPLE_SERV.EXE
<sr>	186045:error:02001002:system library:fopen:no such file or directory:BSS_FILE:278:fopen('server.crt','r')
	186045:error:20074002:BIO routines:FILE_CTRL:system lib:BSS_FILE:280:
	186045:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:SSL_RSA:515:

Note: The errors above indicate the certificates are missing from this directory.
      Read the contents of file "SSL$EXAMPLES:SSL$EXAMPLES_SETUP.TEMPLATE"

<sr>	$
<ur>	set def SSL$COM
<sr>	$
<ur>	@SSL$CERT_TOOL.COM							! <<<--- start HP's certificate tool

Steps:

I/O from session #1 (Server)

<sr>	$
<ur>	run SSL$SIMPLE_SERV.EXE

I/O from session #2 (Client)

<sr>	$
<ur>	run SSL$SIMPLE_CLI.EXE
<sr>	Message to be sent to the SSL server:
<ur>	Hello There!                                                  (end this message by hitting <ctrl-M> or <enter>)
<sr>	SSL connection using AES256-SHA
	Server certificate:
        	subject: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=bellics.com/emailAddress=webmaster@bellics.com
        	issuer: /C=CA/O=Bell Canada/OU=Bell-ATS/CN=CA-SERVER
	Received 35 chars:'This message is from the SSL server'

I/O from session #1 (Server)

<sr>	Connection from 100007f, port bc71
	SSL connection using AES256-SHA
	Received 13 chars:'Hello There!                               (there seems to be an <EOL> here)
	'
	$

Two Example Apps Require Modifications for Use With TCPware

These two apps:

1. SSL$TCP_CLIENT_QIO_SSL.C
2. SSL$TCP_SERVER_QIO_SSL.C

contain references for TCP/IP Services for OpenVMS so will not compile as-is under TCPware. You need to make the following modifications:

1. replace this line:
       #include <tcpip$inetdef.h>
   with this one:
       #include "tcpware_include:ucx$inetdef.h"
2. use an editor and do a global replace of this:
       TCPIP$C_SOCK_NAME
   with this:
       INET$C_SOCK_NAME
3. use an editor and do a global replace of this:
       TCPIP$
   with this:
       UCX$

Caveat: these two example apps are the only ones which DO NOT use the certificates in the example directory (see declarations).

I/O from session #1 (Server)

<sr>	$
<ur>	run SSL$TCP_SERVER_QIO_SSL-TCPWARE.EXE             (this is the TCPware version of SSL$TCP_SERVER_QIO_SSL.exe)

I/O from session #2 (Client)

<sr>	$
<ur>	run SSL$TCP_CLIENT_QIO_SSL-TCPWARE.EXE             (this is the TCPware version of SSL$TCP_CLIENT_QIO_SSL.exe)
<sr>	Enter remote host:
<ur>	127.0.0.1
<sr>	Initiated connection to host: 127.0.0.1, port: 5555

	Info Callback state = 16, ret code = 1
		SSL_CB_HANDSHAKE_START

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		before/connect initialization

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 write client hello A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 read server hello A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 read server certificate A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 read server done A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 write client key exchange A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 write change cipher spec A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 write finished A

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 flush data

	Info Callback state = 4097, ret code = 1
		SSL_CB_CONNECT_LOOP
		SSLv3 read finished A

	Info Callback state = 32, ret code = 1
		SSL_CB_HANDSHAKE_DONE

	Info Callback state = 4098, ret code = 1
		SSL_CB_CONNECT_EXIT 
	SSL connection using AES256-SHA
	Server certificate:
		subject: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=bellics.com/emailAddress=webmaster@bellics.com
		issuer: /C=CA/O=Bell Canada/OU=Bell-ATS/CN=CA-SERVER
	Message to be sent to the SSL server: 
		--- From SSL QIO Client, Hey, Hello Server ---  
	Received 39 chars:'This message is from the SSL QIO server'

	Info Callback state = 16392, ret code = 256
		SSL_CB_WRITE_ALERT
		Alert = warning:close notify
	$ 

I/O from session #1 (Server)

<sr>	$
<ur>	run SSL$TCP_SERVER_QIO_SSL-TCPWARE.EXE             (this is the TCPware version of SSL$TCP_SERVER_QIO_SSL.exe)
<sr>	. . . Waiting for a client connection on port: 5555
	. . . Accepted connection from host: 127.0.0.1, port: 32049
	SSL connection using AES256-SHA
	Received 48 chars from client:' --- From SSL QIO Client, Hey, Hello Server --- '
	$

Using the CLIENT/SERVER demos across different platforms

Up until this point the client and server demos were running on the same platform (connecting via the loopback address of 127.0.0.1). To get the client demos to run from a different platform you must copy the server's CA Certificate into the client's chain file. In the demo programs this file is always named client_ca.crt

Note: you need the server CA certificate (which was sent out-of-channel) preinstalled on the client machine in order to prove that the signed certificate (which was sent in-channel) has been signed by a trusted CA. The purpose for all of this is to minimizing spoofing by a possible man-in-the-middle.

If you intend to connect to multiple servers, and the servers have been signed by different CAs, then you must merge all the CA certificates in the certificate chain file (client_ca.crt)

Hacking with the OpenSSL CLI/CLU (Part 2)

You will drive yourself crazy attempting to make these client demos work with an unknown (not under your control) server. The prescribed way to diagnose then repair client problems is with the OpenSSL CLI (command line interpreter). For example, run the server example on platform 1 but then try connecting from the OpenSSL CLI on platform 2 (it will be your client)

I/O from session #1 (Server on platform 1)

<sr>	$							! my prompt
<ur>	run SSL$SIMPLE_SERV.EXE					! defaults to port 5555

I/O from session #2 (Client on platform 2)

Note: SSL clients do not always specify certificates or keys

<sr>	$							!
<ur>	openssl							!
<sr>	OpenSSL>
<ur>	s_client -connect 142.180.39.15:5555 -ssl3 -debug
<sr>	CONNECTED(00000005)
	write to 00404FF0 [0040F838] (100 bytes => 100 (0x64))
	0000 - 16 03 00 00 5f 01 00 00-5b 03 00 4a 2a 64 cb 88   ...._...[..J*d..
	0010 - 41 dd 6b 75 23 99 4c af-40 04 0d 75 39 c9 33 46   A.ku#.L.@..u9.3F
	0020 - 6c 8a 2e 5c e3 b1 45 a6-a5 7c 07 00 00 34 00 39   l..\..E..|...4.9
	0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
	0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12   .f.....c.b.a....
	0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06   ...e.d.`........
	0060 - 00 03 01                                          ...
	0064 - <SPACES/NULS>
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 16 03 00 00 4a                                    ....J
	read from 00404FF0 [0040A83D] (74 bytes => 74 (0x4A))
	0000 - 02 00 00 46 03 00 4a 2a-64 cb c7 34 17 80 14 c5   ...F..J*d..4....
	0010 - ad ca c7 39 79 bd be 28-d9 89 f0 f4 12 a6 22 fd   ...9y..(......".
	0020 - a7 ff 1c ed 45 96 20 d2-96 42 3b d3 90 dc cb 54   ....E. ..B;....T
	0030 - 48 03 a8 9d 78 29 7c 80-75 62 3e 20 08 ff be b5   H...x)|.ub> ....
	0040 - 8a ab 86 6f 83 5e f8 00-35                        ...o.^..5
	004a - <SPACES/NULS>
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 16 03 00 02 c5                                    .....
	read from 00404FF0 [0040A83D] (709 bytes => 709 (0x2C5))
	0000 - 0b 00 02 c1 00 02 be 00-02 bb 30 82 02 b7 30 82   ..........0...0.
	0010 - 02 20 02 09 00 a3 ff 03-94 ac f7 26 10 30 0d 06   . .........&.0..
	0020 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 30 81 9f 31   .*.H........0..1
	0030 - 0b 30 09 06 03 55 04 06-13 02 63 61 31 10 30 0e   .0...U....ca1.0.
	0040 - 06 03 55 04 08 13 07 6f-6e 74 61 72 69 6f 31 12   ..U....Ontario1.
	0050 - 30 10 06 03 55 04 07 13-09 6b 69 74 63 68 65 6e   0...U....kitchen
	0060 - 65 72 31 14 30 12 06 03-55 04 0a 13 0b 62 65 6c   er1.0...U....bel
	0070 - 6c 20 63 61 6e 61 64 61-31 11 30 0f 06 03 55 04   l canada1.0...U.
	0080 - 0b 13 08 62 65 6c 6c 2d-61 74 73 31 1a 30 18 06   ...Bell-ATS1.0..
	0090 - 03 55 04 03 13 11 6b 61-77 63 31 35 2e 6f 6e 2e   .U....kawc15.on.
	00a0 - 62 65 6c 6c 2e 63 61 31-25 30 23 06 09 2a 86 48   bell.ca1%0#..*.H
	00b0 - 86 f7 0d 01 09 01 16 16-6e 65 69 6c 40 6b 61 77   ........neil@kaw
	00c0 - 63 31 35 2e 6f 6e 2e 62-65 6c 6c 2e 63 61 30 1e   c15.on.bell.ca0.
	00d0 - 17 0d 30 39 30 36 30 35-31 38 35 39 31 32 5a 17   ..090605185912Z.
	00e0 - 0d 31 30 30 36 30 35 31-38 35 39 31 32 5a 30 81   .100605185912Z0.
	00f0 - 9f 31 0b 30 09 06 03 55-04 06 13 02 63 61 31 10   .1.0...U....ca1.
	0100 - 30 0e 06 03 55 04 08 13-07 6f 6e 74 61 72 69 6f   0...U....Ontario
	0110 - 31 12 30 10 06 03 55 04-07 13 09 6b 69 74 63 68   1.0...U....kitch
	0120 - 65 6e 65 72 31 14 30 12-06 03 55 04 0a 13 0b 62   ener1.0...U....b
	0130 - 65 6c 6c 20 63 61 6e 61-64 61 31 11 30 0f 06 03   ell canada1.0...
	0140 - 55 04 0b 13 08 62 65 6c-6c 2d 61 74 73 31 1a 30   U....Bell-ATS1.0
	0150 - 18 06 03 55 04 03 13 11-6b 61 77 63 31 35 2e 6f   ...U....kawc15.o
	0160 - 6e 2e 62 65 6c 6c 2e 63-61 31 25 30 23 06 09 2a   n.bell.ca1%0#..*
	0170 - 86 48 86 f7 0d 01 09 01-16 16 6e 65 69 6c 40 6b   .H........neil@k
	0180 - 61 77 63 31 35 2e 6f 6e-2e 62 65 6c 6c 2e 63 61   awc15.on.bell.ca
	0190 - 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01   0..0...*.H......
	01a0 - 05 00 03 81 8d 00 30 81-89 02 81 81 00 e2 98 76   ......0........v
	01b0 - 67 f7 39 15 a5 b4 f9 69-eb fa 3a 39 c3 d2 8a 70   g.9....i..:9...p
	01c0 - e4 f1 72 cb 4c 44 20 d6-78 aa 3b 9c 9b 28 1d 56   ..r.LD .x.;..(.V
	01d0 - 77 7f b3 58 aa b2 fc 65-31 71 15 cf 3f f4 84 bd   w..X...e1q..?...
	01e0 - 9c b0 95 86 3c b5 d8 d5-7f d4 94 e4 0e ad cf 0d   ....<...........
	01f0 - e9 86 39 ee d4 b5 a6 7d-28 f7 92 40 79 22 d9 ce   ..9....}(..@y"..
	0200 - 9a 75 10 dc fe 61 43 2a-b4 91 9c ec 7c 4d af c5   .u...aC*....|M..
	0210 - 6f 34 d5 a3 b8 c3 09 d5-2f a7 4c e7 45 2e b2 08   o4....../.L.E...
	0220 - f5 6e 32 5e ae 0d 92 58-20 4a 96 75 a1 02 03 01   .n2^...X J.u....
	0230 - 00 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05   ..0...*.H.......
	0240 - 00 03 81 81 00 72 db b7-6e f7 32 28 6f 80 97 62   .....r..n.2(o..b
	0250 - 8b bf 7a cf 73 00 07 5c-ba 54 46 59 12 45 2f ab   ..z.s..\.TFY.E/.
	0260 - 5d 49 7a 9b 42 8b 7c e8-e2 34 05 96 b8 4b 51 17   ]Iz.B.|..4...KQ.
	0270 - fa bf 4f 56 76 8e e0 56-b2 f1 13 a3 4f 1f 6d eb   ..OVv..V....O.m.
	0280 - 8d df 37 9a 4c 6e 43 84-34 9f 21 63 4e 36 cb 68   ..7.LnC.4.!cN6.h
	0290 - ef 48 92 65 99 0d f1 de-a4 38 8b 21 28 0b 3e 3c   .H.e.....8.!(.><
	02a0 - 23 7e f7 d8 4c 89 3a 3a-b1 e4 98 61 dc 60 25 24   #~..L.::...a.`%$
	02b0 - 6f 19 3a 0d 09 79 85 f3-53 11 07 d0 a3 d9 6b 3e   o.:..y..S.....k>
	02c0 - e7 2c 55 57 f6                                    .,UW.
	depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	verify error:num=18:self signed certificate                      <<<---Note that this server certificate is self-signed
	verify return:1
	depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	verify return:1
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 16 03 00 00 04                                    .....
	read from 00404FF0 [0040A83D] (4 bytes => 4 (0x4))
	0000 - 0e                                                .
	0004 - <SPACES/NULS>
	write to 00404FF0 [00302E70] (137 bytes => 137 (0x89))
	0000 - 16 03 00 00 84 10 00 00-80 39 fa c4 8f bb d0 1b   .........9......
	0010 - 5a b9 2b 0f a4 03 5b 09-b9 b6 88 f7 6d f7 2f ec   Z.+...[.....m./.
	0020 - a4 ab ee 89 ac 9a 3d d9-9c 92 b6 90 9b ed 8f 76   ......=........v
	0030 - 88 85 86 f2 24 bd 58 38-1c d2 e7 f7 4c cb c2 37   ....$.X8....L..7
	0040 - b7 b3 b1 58 78 30 0a d6-02 e3 5f e8 bc e2 a4 94   ...Xx0...._.....
	0050 - 2f f6 3d b0 b3 15 08 8e-f4 d2 20 fc 42 a6 ae 17   /.=....... .B...
	0060 - 46 3b ac 24 c8 ae 13 3f-cb af b3 b8 be 91 46 4f   F;.$...?......FO
	0070 - 9e 79 37 0d fa b6 b2 5c-e4 5d ed a7 d2 93 4d bd   .y7....\.]....M.
	0080 - a3 df bb 4e fe cb f6 26-69                        ...N...&i
	write to 00404FF0 [00302E70] (6 bytes => 6 (0x6))
	0000 - 14 03 00 00 01 01                                 ......
	write to 00404FF0 [00302E70] (69 bytes => 69 (0x45))
	0000 - 16 03 00 00 40 2e 20 38-5b 89 c8 1e 5b e3 d8 82   ....@. 8[...[...
	0010 - c1 aa 3b b8 d8 a2 a4 5e-49 14 59 3c fb 83 63 53   ..;....^I.Y<..cS
	0020 - eb c3 99 b3 b7 2f 80 53-1d 9f cf 81 80 44 f3 e9   ...../.S.....D..
	0030 - d2 ce a1 ce 3e c1 25 24-56 cb 22 45 dc 59 dd 0c   ....>.%$V."E.Y..
	0040 - dc b7 a2 26 f7                                    ...&.
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 14 03 00 00 01                                    .....
	read from 00404FF0 [0040A83D] (1 bytes => 1 (0x1))
	0000 - 01                                                .
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 16 03 00 00 40                                    ....@
	read from 00404FF0 [0040A83D] (64 bytes => 64 (0x40))
	0000 - 00 bc 02 d4 79 e6 ae 7e-26 16 fd 6b 41 b3 0c c0   ....y..~&..kA...
	0010 - a5 6a 11 b6 c7 7a 4e 9c-e3 b4 5c 3b 50 e1 2e 9b   .j...zN...\;P...
	0020 - ef 5f aa 22 42 96 cb 33-f6 7a 72 18 ae d2 e7 1c   ._."B..3.zr.....
	0030 - 2a 99 e9 bf be 86 81 fd-f8 8b ed d4 c5 d7 8d 6a   *..............j
	---
	Certificate chain
	 0 s:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	   i:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIICtzCCAiACCQCj/wOUrPcmEDANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMC
	Y2ExEDAOBgNVBAgTB29udGFyaW8xEjAQBgNVBAcTCWtpdGNoZW5lcjEUMBIGA1UE
	ChMLYmVsbCBjYW5hZGExETAPBgNVBAsTCGJlbGwtYXRzMRowGAYDVQQDExFrYXdj
	MTUub24uYmVsbC5jYTElMCMGCSqGSIb3DQEJARYWbmVpbEBrYXdjMTUub24uYmVs
	bC5jYTAeFw0wOTA2MDUxODU5MTJaFw0xMDA2MDUxODU5MTJaMIGfMQswCQYDVQQG
	EwJjYTEQMA4GA1UECBMHb250YXJpbzESMBAGA1UEBxMJa2l0Y2hlbmVyMRQwEgYD
	VQQKEwtiZWxsIGNhbmFkYTERMA8GA1UECxMIYmVsbC1hdHMxGjAYBgNVBAMTEWth
	d2MxNS5vbi5iZWxsLmNhMSUwIwYJKoZIhvcNAQkBFhZuZWlsQGthd2MxNS5vbi5i
	ZWxsLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDimHZn9zkVpbT5aev6
	OjnD0opw5PFyy0xEINZ4qjucmygdVnd/s1iqsvxlMXEVzz/0hL2csJWGPLXY1X/U
	lOQOrc8N6YY57tS1pn0o95JAeSLZzpp1ENz+YUMqtJGc7HxNr8VvNNWjuMMJ1S+n
	TOdFLrII9W4yXq4NklggSpZ1oQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAHLbt273
	MihvgJdii796z3MAB1y6VEZZEkUvq11JeptCi3zo4jQFlrhLURf6v09Wdo7gVrLx
	E6NPH23rjd83mkxuQ4Q0nyFjTjbLaO9IkmWZDfHepDiLISgLPjwjfvfYTIk6OrHk
	mGHcYCUkbxk6DQl5hfNTEQfQo9lrPucsVVf2
	-----END CERTIFICATE-----
	subject=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	issuer=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc15.on.bell.ca/emailAddress=neil@kawc15.on.bell.ca
	---
	No client certificate CA names sent
	---
	SSL handshake has read 877 bytes and written 312 bytes
	---
	New, TLSv1/SSLv3, Cipher is AES256-SHA
	Server public key is 1024 bit
	SSL-Session:
	    Protocol  : SSLv3
	    Cipher    : AES256-SHA
	    Session-ID: D296423BD390DCCB544803A89D78297C8075623E2008FFBEB58AAB866F835EF8
	    Session-ID-ctx: 
	    Master-Key: 38C8558FDF4A37EBF3202C5C464EBE60767A31B47B04B60C80A62FDE9D7819F2FDD8CF31E89B5CC26AC50611EFA6DDB5
	    Key-Arg   : None
	    Start Time: 1244292299
	    Timeout   : 7200 (sec)
	    Verify return code: 18 (self signed certificate)
<ur>	hello<enter>						! I entered this into my keyboard
<sr>	write to 00404FF0 [0040F838] (74 bytes => 74 (0x4A))
	0000 - 17 03 00 00 20 bc b3 9c-e7 04 1f 02 57 b9 5f b2   .... .......W._.
	0010 - e5 15 da b5 f2 00 c5 3e-3f 9b 23 ef 10 e6 94 7c   .......>?.#....|
	0020 - 8d 5a 94 2b b0 17 03 00-00 20 3f 1c aa 08 68 fa   .Z.+..... ?...h.
	0030 - 2b 99 6f 14 e1 17 c6 c9-14 71 c8 a8 0c d1 bd ab   +.o......q......
	0040 - 79 e5 1a 0b 71 f9 78 df-dd 2f                     y...q.x../
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 17 03                                             ..
	0005 - <SPACES/NULS>
	read from 00404FF0 [0040A83D] (32 bytes => 32 (0x20))
	0000 - b5 32 b9 5b 47 78 e9 52-9a b0 e5 c8 34 65 0d 56   .2.[Gx.R....4e.V
	0010 - 06 7a f7 67 c4 9d 28 51-52 bc 44 d4 e0 ea f0 79   .z.g..(QR.D....y
	read from 00404FF0 [0040A838] (5 bytes => 5 (0x5))
	0000 - 17 03 00 00 40                                    ....@
	read from 00404FF0 [0040A83D] (64 bytes => 64 (0x40))
	0000 - 59 d6 34 d8 94 e6 38 e2-8a ea 23 f8 81 43 6c eb   Y.4...8...#..Cl.
	0010 - ee 97 df f1 2a 98 95 6f-28 4e a1 f8 03 90 3c 26   ....*..o(N....<&
	0020 - 67 55 ec 14 6c 82 4e 46-6e 16 8a ea e7 a9 ca 47   gU..l.NFn......G
	0030 - 7a c6 ce 37 73 b0 da 9a-02 13 5a fb b5 60 74 59   z..7s.....Z..`tY
	write to 00404FF0 [0040F838] (74 bytes => 74 (0x4A))
	0000 - 17 03 00 00 20 0d be ad-d9 e9 e2 df 5b 5e 76 13   .... .......[^v.
	0010 - 75 81 c9 fa c7 a3 84 80-eb 7f e5 5c 59 5f 0a 7c   u..........\Y_.|
	0020 - ad 29 f6 70 32 17 03 00-00 20 a3 11 4a 53 65 b7   .).p2.... ..JSe.
	0030 - 33 cd d9 40 d3 e1 3e 6f-f2 1b 91 e8 7e 3f a9 1f   3..@..>o....~?..
	0040 - 3c b4 13 69 d1 5e 8d 65-e3 4e                     <..i.^.e.N
	write to 00404FF0 [0040F838] (74 bytes => -1 (0xFFFFFFFF))
	write:errno=32
	OpenSSL>

I/O from session #1 (Server on platform 1)

<sr>	$
<ur>	run SSL$SIMPLE_SERV.EXE
<sr>	Connection from 1027b48e, port 9ea3
	SSL connection using AES256-SHA
	Received 6 chars:'hello
	'
	$ 

Hints To Correct Your Problem

• copy your server's CA (certificate authority) certificate to the appropriate directory of your client machine (you may need to append it to an existing file called a "certificate chain file")
  • now restart the openssl -connect command with the -CAfile parameter (or -CApath if you have set up things properly). You will need to quote any mixed-case parameters.
  • Note: most internet clients like browsers and email readers have access to more than one hundred preloaded CA certificates. Since you are rolling your own client app then you will need to do this yourself (on windows, go to START button >>> SETTINGS item >> CONTROL PANEL item >> INTERNET PROPERTIES item >>> CONTENT tab >>> CERTIFICATES tab, then export a few trusted root certificates).
  • in many ways, copying the certificate of the CA from the server to the client through an out-of-channel path is similar to copying the PUB file to the client machine when setting up an SSH connection
• switch to a self-signed certificate and disable server certificate authentication (not recommended)
  • this will not protect you against a man-in-the-middle attack but maybe you don't care because you are running on a private intranet

Using OpenSSL CLI to test connectivity (part #1)
(note: this system is sitting inside Bell Canada on a private intranet)

<sr>	$
<ur>	openssl s_client -connect kawc09.on.bell.ca:443 -showcerts
	
	CONNECTED(00000005)
	depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	verify error:num=18:self signed certificate
	verify return:1
	depth=0 /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	verify return:1
	---
	Certificate chain
	 0 s:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	   i:/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	-----BEGIN CERTIFICATE-----
	MIICpTCCAg4CAQAwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAkNBMQswCQYD
	VQQIEwJPTjESMBAGA1UEBxMJS0lUQ0hFTkVSMRQwEgYDVQQKEwtCRUxMLUNBTkFE
	QTERMA8GA1UECxMIQkVMTC1BVFMxGjAYBgNVBAMTEWthd2MwOS5vbi5iZWxsLmNh
	MSUwIwYJKoZIhvcNAQkBFhZuZWlsQGthd2MwOS5vbi5iZWxsLmNhMB4XDTEyMDEx
	ODIwMDc1MFoXDTE5MDExNjIwMDc1MFowgZoxCzAJBgNVBAYTAkNBMQswCQYDVQQI
	EwJPTjESMBAGA1UEBxMJS0lUQ0hFTkVSMRQwEgYDVQQKEwtCRUxMLUNBTkFEQTER
	MA8GA1UECxMIQkVMTC1BVFMxGjAYBgNVBAMTEWthd2MwOS5vbi5iZWxsLmNhMSUw
	IwYJKoZIhvcNAQkBFhZuZWlsQGthd2MwOS5vbi5iZWxsLmNhMIGfMA0GCSqGSIb3
	DQEBAQUAA4GNADCBiQKBgQDhARUFxc8u7rZL4UNGKaxPgVYdnDsAIsmfGoTyEd97
	SsFRbohmEnb1BtZWsmh8muD+ERuJlMp/rh0Lv0qMl6dTKN5KKJS6B33IPhtH9hfC
	9XB5EqbhAaoGMe5MB/L2CQefdOY55l5+ac6ADhfBSzx0Y4Ie7JEpmikMHAwSnYfW
	wQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABoX70NuLwgwVU0pJr2MmDY2jN8daqVv
	1IGFD2ENbYNQU3TC2/BxBuoF5r4uWXRtygnWvyQhOzeJ9DL36d2OSunJyfUBddQk
	DhuIrHI60KlvUwyLrAIMN5aaDAAdmuc5s9vAAyyA6qUSzjhRx88OoopjCdFp38ER
	blRbB3KXwuCW
	-----END CERTIFICATE-----
	---
	Server certificate
	subject=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	issuer=/C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1245 bytes and written 361 bytes
	---
	New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
	Server public key is 1024 bit
	Secure Renegotiation IS NOT supported
	Compression: NONE
	Expansion: NONE
	SSL-Session:
	    Protocol  : TLSv1
	    Cipher    : DHE-RSA-AES256-SHA
	    Session-ID: 4E7FECF48727AF145B90CE0025A227A669F408DF26E076DE7A13CC6770D50453
	    Session-ID-ctx: 
	    Master-Key: 2463FBACCF6CBFF4B04304F029DD995A3A6CA799218106BFB53DAD35E744780BA7D8EEBFE15041C1ADB720453AD54A76
	    Key-Arg   : None
	    Start Time: 1328041280
	    Timeout   : 300 (sec)
	    Verify return code: 18 (self signed certificate)

Using OpenSSL CLI to test connectivity (part #2)
(note: this system is sitting in Sweden)

<sr>	$
<ur>	openssl s_client -connect www.google.com:443
<sr>	CONNECTED(00000005)
	
	depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
	verify error:num=20:unable to get local issuer certificate
	verify return:0
	---
	Certificate chain
	 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
	   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
	
	 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
	   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
	
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
	MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
	THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
	MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
	MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
	FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
	gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
	wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
	d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
	BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
	LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
	BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
	Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
	ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
	AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
	ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
	IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
	-----END CERTIFICATE-----
	subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
	issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1765 bytes and written 310 bytes
	---
	New, TLSv1/SSLv3, Cipher is RC4-SHA

	Server public key is 1024 bit
	SSL-Session:
	    Protocol  : TLSv1
	    Cipher    : RC4-SHA
	    Session-ID: 3993A42226B4AE05E338EECFF4E5A4E189AA5A855E3394B073BC400691202809
	    Session-ID-ctx: 
	    Master-Key: C1893735D68A9CB922DFA76CF8C750FDF3B40BAA33323FE81FBCE9D31C4B6B2AB8173DFBB7D209C2DBDDEF417703E456
	    Key-Arg   : None
	    Start Time: 1329741805
	    Timeout   : 300 (sec)
	    Verify return code: 20 (unable to get local issuer certificate)
	---
	GET / HTTP/1.0				<<<--- I typed this line followed by <enter>
						<<<--- blank line signifies end of HTTP header
	
	HTTP/1.0 302 Found			<<<--- looks like Google wants to redirect this system to Sweden 
	Location: https://www.google.se/	
	Cache-Control: private
	Content-Type: text/html; charset=UTF-8
	Set-Cookie: PREF=ID=2e23775e9ac21c7e:FF=0:TM=1329741822:LM=1329741822:S=-pAeZHuBa7pD1lZq; expires=Wed, 19-Feb-2014 12:43:42 GMT; pat
	h=/; domain=.google.com
	Date: Mon, 20 Feb 2012 12:43:42 GMT
	Server: gws
	Content-Length: 219
	X-XSS-Protection: 1; mode=block
	X-Frame-Options: SAMEORIGIN
	
	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
	<TITLE>302 Moved</TITLE></HEAD><BODY>
	<H1>302 Moved</H1>
	The document has moved
	<A HREF="https://www.google.se/">here</A>.
	</BODY></HTML>
	read:errno=0
	$ 

Creating Those Pesky PEM Files

Most SSL apps only employ "certificate" and "key" files. However, many SSL implementations (like my gSOAP client software) employ a "PEM" file. What is worse is that process for creating "PEM" files from "certificate" and "key" files seems to be some sort of industry secret. Okay so what follows is an example of a few hacks this afternoon.

===============================================================================================
 file : AAA_PEM_NOTES.TXT
 edit : NSR 2012-02-14
 topic: 1. general stuff about certificates on our system
	2. creating a PEM (required by SSL calls made by our SOAP client software)
 notes:	1. all "our" production certificate files are located here:
			sys$sysdevice:[certificates]
	2. a logical name has been defined to reference this directory:
			$define/system  vms_cert_dir  sys$sysdevice:[certificates]
	3. apache files like "apache$common[.conf]ssl.conf" need to reference this logical name
	4. before experimenting with the certificate tools in directory SSL$COM you might consider
	   copying production certificates to SSL$CERTS which points to here:
			ssl$root:[000000.democa.certs]
	5. while certificates and keys can be generated directly from OpenSSL CLI, DCL scripts
	   like SSL$CERT_TOOL are less error prone. However, make sure all instances of 365 days
	   have been modified to 3650 days or you'll drive our users crazy. Even if you don't
	   change all the scripts, make sure you change the self-signed script.
 legend:
	"<ur>" = user response
	"<sr>" = system response
===============================================================================================
<sr> $
<ur> set def ssl$com
<sr> $
<ur> @SSL$CERT_TOOL.COM
------------------------------------------------------------------------------
	now do one of: A, B, C:
	A	Create a Self-Signed Certificate		(my choice)

	B1	Create a Certificate Signing Request
	B2	Create a CA (Certification Authority) Certificate
	B3	Sign a Certificate Signing Request

	C1	Create a Certificate Signing Request
	C2	Send it to a CA to have it signed
------------------------------------------------------------------------------
<sr> $
<ur> set def SSL$CERTS								! change default directory
<sr> $
<ur> copy/concat kawc09.key,kawc09.crt kawc09.pem				! create a server PEM file
 or  copy        kawc09.crt            client.pem				! create a client PEM file
<sr> $
<ur> openssl x509 -hash -noout -in  KAWC09.PEM					! compute the hash (output to stdout)
<sr> 30a5df47
     $
<ur> copy kawc09.crt 30a5df47.0							! create the file: hash.0 
<sr> $
<ur> define dvlp_cert_dir SSL$ROOT:[000000.DEMOCA.CERTS]			! define a logical name for use below
<sr> $
<ur> openssl  verify  "-CApath" dvlp_cert_dir -verbose -purpose any KAWC09.PEM	! test certs with path
 or  openssl  verify                          -verbose -purpose any KAWC09.PEM	! test certs without path (alternative)
<sr> kawc09.pem: OK
     $
------------------------------------------------------------------------------
	do we really need the hash file? (yes)
------------------------------------------------------------------------------
<ur> ren 30A5DF47.0 30A5DF47.yada						! rename hash file for next test
<sr> $
<ur> openssl  verify  "-CApath" vms_cert_dir -verbose -purpose any KAWC09.PEM	! test certs with path
<sr> kawc09.pem: /C=CA/ST=Ontario/L=Kitchener/O=Bell Canada/OU=Bell-ATS/CN=kawc09.on.bell.ca/emailAddress=neil@kawc09.on.bell.ca
     error 18 at 0 depth lookup:self signed certificate
     OK
     $
<ur> ren 30A5DF47.yada 30A5DF47.0						! restore hash file name
<sr> $
<ur> openssl  verify  "-CApath" vms_cert_dir -verbose -purpose any KAWC09.PEM	! test certs with path (again)
<sr> kawc09.pem: OK
     $
==========================================================================================================================
	<<< proof that Apache has its own version of SSL >>>

	notes:	1. danger danger danger danger danger danger danger danger danger danger >>>
		2. only try this on a backup lab system with no one logged on >>>
		3. if your running system relies upon SSL for various security functions, then removing SSL may render
			your OpenVMS 8.x system unusable
==========================================================================================================================
	uninstall SSL on OpenVMS-8.4 (node kawc98)
		$prod remov prod ssl
			note: you will get a warning saying not to do this because of linkages to OpenVMS (but not Apache)
				ignore the warning and remove SSL anyway
	reboot
		@sys$update:autogen reboot
	test Apache and notice that https://kawc98.on.bell.ca still works (Apache has its own baked-in OpenSSL engine)
	install SSL on OpenVMS-8.4
		$PRODUCT instal/options=NOVALIDATE_KIT SSL
			note: you now need OPTIONS because SSL is required to validate kits (oops)
	reboot
		@sys$update:autogen reboot
==========================================================================================================================

"OpenSSL s_client" bug on OpenVMS (2012-02-xx)

1. On 2012-02-14 I realized that command "OpenSSL s_client" on OpenVMS-8.4 Alpha does not work properly with HP-OpenSSL-1.4-453
   
   Sample (failed) Dialog:
   (legend: ur=user response; sr=system response)

   <ur> openssl s_client -connect www.google:443<enter>
        <enter>
        <enter>
        <enter>
   <sr> write:errno=32    <<<--- Oops!

   Note: I believe error 32 = "broken pipe" (see: ERRNO.H or ERRNODEF.H) which means the channel just closed
    
2. The bug does not exist on CPQ-OpenSSL-1.1B
    
3. The bug is found in all versions starting with HP-OpenSSL-1.2 and running through HP-OpenSSL-1.4-467
    
4. The bug affects Alpha and Itanium (there were no HP-sanctioned versions for VAX after  CPQ-OpenSSL-1.1B)
    
5. On 2012-03-06 I realized this "OpenSSL s_client" problem was only failing "server -> client" and here is the proof:
    
   
   • First create a little text file (I called mine "neil.txt" which only contains one line "test data") then run "OpenSSL s_server" with the "-WWW" and -debug options
      
   • Now type "OpenSSL s_client -connect www.myserver:443 -debug" from any technology other than OpenVMS (I tried both Windows and Solaris)
      
   • Sample (good) Dialog:
     (legend: ur=user response; sr=system response)

     <ur>openssl s_client -connect www.myserver.com:443<enter>		!
     <sr>...handshake verbage...						! bla...bla...bla...
         ---									! prompt
     <ur>GET /neil.txt HTTP/1.0<enter>					! we want file neil.txt
         <enter>								! signal end of HTTP header
     <sr>HTTP HTTP/1.0 200 ok						!
         Content-type: text/plain						!
     									!
         test data								!

   • Now repeat the test using "OpenSSL s_client -connect www.myserver:443 -debug" from OpenVMS
     
     • Entering "GET /neil.txt HTTP/1.0<enter><enter>" will show outbound data packets every time you hit <enter> but no clear text is ever seen
        
   • Now inspect the s_server dialog you will find a line containing "FILE:neil.txt" which indicates the requested file being sent back.
      
   • At the client you will see inbound packets but nothing displayed in clear text
      
   • Conclusion:
      
     
     1. either the client-end connection isn't decrypting anything
         
     2. or there is no way to see what has been decrypted (since typing wasn't echoed, this last case seems more likely)
         
6. On 2012-03-11 I finally got around to developing a bug-fix for s_client.c (for HP-OpenSSL-1.3-281 and higher) which goes something like this:
    
   
   1. (tested) optional cosmetic change:
      
      • use an editor to locate the sixth line from the end of routine "void print_stuff("

        BIO_printf(bio,"---\n");

        then change it to:

        BIO_printf(bio,"---\n\n");

        This change will provide room under the three dashes for you to type your web server request (restores previous functionality)
         
        
   2. (tested) mandatory change for:
      • HP-OpenSSL-1.3-281
        
        1. use an editor to locate the string:

           i=write

        2. back up ~10 lines to locate the string:

           #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)

           then change it to:

           #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VMS)

           Explanation for this fix: In VMS section of "if (!ssl_pending)" we never call "if (write_tty) FD_SET(fileno(stdout),&writefds);" so it makes no sense to block on "FD_ISSET(fileno(stdout),&writefds)" ~ 150 lines below.
           
           
           
      • HP-OpenSSL-1.4
        1. use an editor to locate the string:

           i=write

        2. back up ~10 lines to locate the string:

           #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
           

           then change it to:

           #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) \
           	|| defined(OPENSSL_SYS_VMS)

      • HP-OpenSSL-1.4-453
             -and-
        HP-OpenSSL-1.4-467
        • same fixes as HP-OpenSSL-1.4 but you will also see a compile problem with program B_SOCK.C which does not affect the VMS build
          (see the line: #ifdef OPENSSL_SYS_WINDOWS || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)) which makes no sense)
           
          
   3. (untested) mandatory change for OPENSSL-100G (from Swedish hacker site http://polarhome.com/openssl/ )
      • use an editor to locate the string:

        i=raw_write_stdout

        then repeat the fixes above (but you will still crap out with error "bad select 38" which is related to select () testing stdin as if it were a network device). I won't be able to test this fix until I include term_sock.c functionality (and I just can't find the time right now)
         
   4. Suggestion: The current state of s_client.c can only be described as horrible. Probably due to the number of people who appear to have to modified it, along with all the conditional compile statements, it would never pass a code review. Some kind soul should update it to a more modern "block indentation" like so:

      if (bla...)
      {	if (yada...)
      	{	just one line but bracketed anyway;
      	}
      }
      else
      {	switch(temp) {
      	case CASE1:
      		{	whatever;
      			break;
      		}
      	case CASE2:
      		{	whatever;
      			break;
      		}
      	default:
      		{	just one line but bracketed anyway;
      		}
      	}
      }

My Regression Testing

An official fix from HP is coming has come

1. I received a private patch today (2012-06-20) from HP OpenVMS Support which fixes the s_client bug in HP-OpenSSL-1.4-467. This patch is available on request so you need a VMS support contract to receive it. HP engineers do not like the shape of the existing code so will not offer a public fix for s_client until the next release of HP-OpenSSL for OpenVMS (probably in 2013).
    
2. On 2012-06-23 I downloaded HP's source code for HP-OpenSSL-1.4-467 and verified that I could fix the problem myself. You could do this too provided you have access to a "C" compiler. When you are done, just copy test application openssl.exe from your working directory into production directory ssl$exe then test it.
    
   
3. On 2013-05-06 I downloaded HP-OpenSSL-1.4-471 from HP's OpenVMS website and verified that s_client appears to work properly. Kudos to HP.

Building OpenSSL (for OpenVMS) from HP Sources

Here I am not talking about installing a PCSI kit from HP. I am talking about building (full recompile and link) so you will need a C-language compiler.

1. Most "HP sanctioned" releases of OpenSSL for OpenVMS files can be found here: ftp://ftp.hp.com in folder "/pub/openvms/ssl/".
    
2. HP is not offering any modern OpenSSL kits for VAX so you will need to build it yourself from public sources or download a complete package from Sweden
    
3. You might also find some older stuff here:
   • ftp://ftp.mrynet.com/pub/os/DEC/vmsone/vmsone.com/~ovmskits/opnsrctoos2/ssl_source/kit/ <<<--- COMPAQ_SSL_SOURCES_V11A.EXE
   • http://www.decuslib.com/freeware/freewarev70/openssl_z/
   • http://www.decuslib.com/freeware/freewarev70/openssl_z/freeware_readme.txt
   • http://zinser.no-ip.info/vms/sw/openssl.htmlx
   • http://zinser.no-ip.info/vms/sw/notes/openssl.htmlx (build + installation notes)
      
4. Compaq/HP Build Notes:

   Do When	Do What	Target
   Do at least once	read these notes	http://h71000.www7.hp.com/openvms/products/ssl/ssl_source.html#buildopenssl
   	read text file	$$$README.FOR_VMS
   	never execute DCL script	SUBMIT_BUILD.COM (can only be executed on HP's development system; requires CMS as well as some crypto stuff)
   	consider modifying script	VMS_BUILD_INFO.COM make sure the first line contains "$set noon" make sure BUILD_PLATFORM == "ALPHA" or "IA64"; sometimes this script is set to IA64 in the Alpha kit comment out the line defining CRYPTO$RES (it only exists on the HP development platform)
   B4 every full build	execute DCL script	@VMS_BUILD_INFO.COM (which sets DCL symbols required by MAKEVMS.COM)
   	execute DCL script	@MAKEVMS.COM/OUTPUT=MAKEVMS.LOG ALL NORSAREF NODEBUG DECC NONE (Note: NONE seems to work properly with both "TCPIP Services" as well as TCPware)
   B4 every app build	execute DCL script	@VMS_BUILD_INFO.COM (which sets DCL symbols required by MAKEVMS.COM)
   	execute DCL script	@MAKEVMS.COM/OUTPUT=MAKEVMS.LOG APPS NORSAREF NODEBUG DECC NONE (Note: NONE seems to work properly with both "TCPIP Services" as well as TCPware)

   
   
5. Click this link to learn how to fix a problem with s_client.c prior to doing a build

Building OpenSSL (for OpenVMS) From Public Sources

1. Source #1 (vanilla): http://www.openssl.org/source/
2. Source #2 (VMS friendly): http://polarhome.com/openssl/
   • They offer:
     1. smaller source-only kits
     2. larger binary kits containing both 32-bit and 64-bit executables (VAX, Alpha, and Itanium) without source code
   • Okay so every time I connect to this Swedish hacker site I think about "The Girl With the Dragon Tattoo" by Stieg Larsson (and all the Swedish, Finnish and German hackers out there).
     p.s. While there is lots of computer hacking seen in the Swedish movie (actors actually hit the SPACE BAR), the American version contains none.

Vanilla Build Notes:

• most of the VMS build docs are old (some appear unchanged since 2000)
• some docs and scripts have been modified but embedded dates have not been changed and there are no "in document" version numbers
• the talented engineers at HPQ have made extensive changes to the 64-bit (Alpha/Itanium) versions which are only available from the HP website (these changes are instructive if nothing else). Perhaps HP management will not allow value-added changes to migrate back to the public source code but I don't see why some kind soul doesn't do this for the benefit of the Open Source community.
• 0.9.6 (all versions)
  • build script makevms.com will take up to 6 parameters (the first 3 are mandatory).
    • If you start the script with no parameters, the script will display help for each mandatory parameter then exit. Restart the script after each exit until it runs (more on this in a moment)
    • P4 is used to set your "C" compiler. The script does a reasonable job of detecting which compiler is installed so this parameter is only important if you more than one compiler installed.
    • P5 is used to detect your TCP/IP stack and I'm not sure that auto-detect works properly. Why? Think about all the possible stacks which might be present:
      • TCPware (from Process Software; the only stack available for VMS for a decade starting in 1987)
      • Multinet (purchased by Process Software from CISCO in 1997; MultiNet was initially created by TGV)
      • UCX (originally for ULTRIX; DEC ported this to VMS as a skunk works project)
      • TCPIP Services for OpenVMS (the official HP offering for OpenVMS)
    • Building with RSA support is optional. If you wish to do this, OpenSSL docs tell you to retrieve RSADEF encryption files from www.rsa.com but you will never locate them because RSA removed them in 2000 when the patents expired. The files can still be found on ftp servers in Northern Europe (see the OpenSSL FAQ for sites). OpenVMS enthusiasts who want to keep museum pieces fully stocked might wish to download those files before they are lost forever (perhaps they could be posted to DECUS).
  • After installing the public source version of OpenSSL on OpenVMS, "s_client" will complain about a random generator problem like so:
    

    1092:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.crypto.rand]md_rand.c;1
        :501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
    1092:error:05067003:Diffie-Hellman routines:DH_generate_key:BN lib:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.crypto.dh]dh_key.c;1:147:
    1092:error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad asn1 object header:SYS$SYSROOT:[SYSMGR.OPENSSL-096G.ssl]s3_clnt.c
    ;1:1490:

    • to get around this you must do the following because the $openssl rand procedure doesn't seem to work properly on OpenVMS
       
    • create a random data file like so:
      

      $create neil.rnd		! creates a file named "neil.rnd"    
      12345678901234567890<control-z>	! enter at least 20-characters before hitting <control-z>

    • now connect like so:

      $openssl s_client -connect 123.123.123.123:443 -rand neil.rnd

    • if you don't want to type the rand command all the time then just define a logical like so:

      $define/system RANDFILE = SYS$SYSDEVICE:[HACK]NEIL.RND

      as an alternative, you can use a process level logical or just declare a DCL symbol like so:   

      RANDFILE :== SYS$SYSDEVICE:[HACK]NEIL.RND

• 0.9.7 (all versions and higher)
  • software for 0.9.7 can't use the RSA software so don't even bother looking for it. But P2 is still reserved for it
  • since P2 is no longer supported but is still present, you can only start the script using a command similar to this:
        @makevms all "" nodebug decc multinet

PolarHome (Swedish Hacker Site) Build Notes

• PolarHome Offers:
  1. smaller source-only kits
  2. larger binary kits containing both 32-bit and 64-bit executables (VAX, Alpha, and Itanium) without source code
• OPENSSL-101b
  • I built this kit using this DCL command:
        @makevms.com/output=makevms.log all "" nodebug decc none
    Note that the meaning of P2 has changed from previous versions at this site but rather than using "" you may wish to use 32 or 64 (see docs)

1. OPENSSL-101b (quick test)

   openssl s_client -connect www.twitter.com:443 -no_tls1
   CONNECTED(00000003)
   depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = Ver
   iSign Class 3 Extended Validation SSL CA
   verify error:num=20:unable to get local issuer certificate
   verify return:0
   ---
   Certificate chain
    0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/
   postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
      i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Exte
   nded Validation SSL CA
    1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Exte
   nded Validation SSL CA
      i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Publi
   c Primary Certification Authority - G5
   ---
   Server certificate
   -----BEGIN CERTIFICATE-----
   MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB
   ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
   ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
   YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
   VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
   MjA0MTAwMDAwMDBaFw0xNDA1MTAyMzU5NTlaMIIBFzETMBEGCysGAQQBgjc8AgED
   EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
   ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMQ4w
   DAYDVQQRFAU5NDEwNzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2Fu
   IEZyYW5jaXNjbzEhMB8GA1UECRQYNzk1IEZvbHNvbSBTdCwgU3VpdGUgNjAwMRYw
   FAYDVQQKFA1Ud2l0dGVyLCBJbmMuMRkwFwYDVQQLFBBUd2l0dGVyIFNlY3VyaXR5
   MRQwEgYDVQQDFAt0d2l0dGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
   AQoCggEBAL7pd7TChZF0U21aCfxUIzdUHm4siWxcQ678xRerDI2hXmThiUyVKnHS
   CeSB+gDBXG4qoRHSEcwq7J1YhFscsKz6o4ktsWLqVowGSWNbW92ZbtjOGkTD3xdp
   O8Fqfgcs5Lq1yK517nrbtEp6OXEWcoWv15voP4wV7Z9HjCP6v5N1MmrPN187wDMH
   W1meJqxQ/7LiULgVQMVV/U6qLOhUeNpl/06CqxScU1bfnbep5SohUG+z6d8CUaPX
   55EhGtAPzXNJAHDSkiNgSKkPr1USJ9YiXusqmjcPChRfkT77kROjWnxgV+oucF+T
   ja+Ist8acKy2sgCidhUyuXCWG44bIf8CAwEAAaOCAhwwggIYMCcGA1UdEQQgMB6C
   D3d3dy50d2l0dGVyLmNvbYILdHdpdHRlci5jb20wCQYDVR0TBAIwADAdBgNVHQ4E
   FgQUtXiQRnmvbuddQEjER8bw4CjBMYQwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkw
   N6A1oDOGMWh0dHA6Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJl
   MjAwNi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXBjAqMCgGCCsGAQUFBwIB
   FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUF
   BwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT8ilC6nrklWntVhU+VAGOP6VhrQzB8
   BggrBgEFBQcBAQRwMG4wLQYIKwYBBQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3Nw
   LnZlcmlzaWduLmNvbTA9BggrBgEFBQcwAoYxaHR0cDovL0VWU2VjdXJlLWFpYS52
   ZXJpc2lnbi5jb20vRVZTZWN1cmUyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBc
   MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH
   iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ
   KoZIhvcNAQEFBQADggEBAAqg81oADEdE+/Clm4Q43avFTkpuHkpYbu0bDvSVhoMS
   n12b0CAtIgY7Sg+kI0/T0PaaDDxy6lEm8YAu/NLNvgXhIEYKxZQ7sUrKrfY+avdM
   PumYGkWeQ0xEf0ZLbGCfp9DA+cwxGgZaxT0HdhLhSZOvlw3F3vWezUuriUYacRL6
   AW1EzC3uU2zj6T0z2v75Xa8u6AwY6YqAoMJCyR12bc7sGkRoD0ak27DdvP56qh5N
   0tjHHMI1d6IJs0TAO26/SVI7YlQXEstKHk9iJzappwZ/0HZJsepX7jIxvlxyKKGb
   8MQGjSCwx8bY2PbYaLe0rkk2IjH0aMUlHW77DpNAK40=
   -----END CERTIFICATE-----
   subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=
   US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
   issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Ex
   tended Validation SSL CA
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 3360 bytes and written 488 bytes
   ---
   New, TLSv1/SSLv3, Cipher is RC4-SHA
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
       Protocol  : SSLv3
       Cipher    : RC4-SHA
       Session-ID: 98708C8995FF0F8AE3DE17DC8066CF220AB3D50C183E519089DB2E893EFEDCEA
       Session-ID-ctx: 
       Master-Key: 5542D6ADAC52B4FD82FD9E0FCADE67FBBB5D4BAB4EA1F5D564FE6F98F6CC6E8F3A0F350BF668726A377EC1169205BBAA
       Key-Arg   : None
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       Start Time: 1340481505
       Timeout   : 300 (sec)
       Verify return code: 20 (unable to get local issuer certificate)
   ---
   bad select 38        <<<--- Oops!
   $

2. Getting around "bad select 38" (this problem is never seen in HP-sanctioned releases of OpenSSL for OpenVMS).
    
   
   1. This publication: HP TCP/IP Services for OpenVMS Sockets API and System Services Programming
      http://h71000.www7.hp.com/doc/82final/6529/6529pro_030.html
      in table Translation of Socket Error Codes to OpenVMS Status Codes
      indicates that socket error 38 (ENOTSOCK) is mapped to VMS code SS$_NOTNETDEV (Socket operation on nonsocket) so this problem involves treating stdin as a network device. (Allowed in the UNIX/Linux world but not allowed in the Windows/VMS world)
       
      
   2. Definitions for error 38 (ENOTSOCK) can be found here:
      1. SYS$COMMON:[SYSLIB]TCPIP$INETDEF.H
      2. SYS$COMMON:[SYSLIB]UCX$INETDEF.H
      3. SYS$COMMON:[TCPWARE.INCLUDE]UCX$INETDEF.H
          
   3. In some instances, UNIX-IO statement select() does not behave as expected on OpenVMS/VMS platforms. Poking around the documentation will reveal a few clues and here are some links to peruse:
      • HP-C Run-Time Library Reference Manual for OpenVMS
        http://h71000.www7.hp.com/doc/84final/5763/5763profile.html
      • UNIX, Linux to OpenVMS Porting Guidelines
        http://h71000.www7.hp.com/portability/portingguidelines.html
        quote: Select() call is extensively used in UNIX variants for asynchronous I/O and to handle I/O from multiple descriptors at the same time. However in OpenVMS Select() call does not manage the file descriptors and manages only the socket descriptors for remote communication. You can handle this limitation in OpenVMS using the QIO and AST mechanism.
         
        
   4. Source code to help explain the problem technically -and- enable you to get out of the "bad select 38" dilemma

Internal Links

• OpenVMS Notes: SSH2
• OpenVMS Notes: SSL/TLS
• OpenVMS Notes: TCPware
• OpenVMS Notes: Cryptography

External Links

SSL for OpenVMS (sanctioned by HP)

• http://h71000.www7.hp.com/openvms/products/ssl/ssl.html VMS SSL Home: Including Documentation and Software Download
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/index.html (HP SSL for OpenVMS)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch01.html (Chapter 1: Installation and Release Notes)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch02.html (Chapter 2: Overview of SSL)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch03.html (Chapter 3: Using the Certificate Tool)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04.html (Chapter 4: SSL Programming Concepts)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html (SSL Programming Tutorial)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch05.html (Chapter 5: Example Programs)
  • http://h71000.www7.hp.com/doc/83final/ba554_90007/ch06.html (Chapter 6: OpenSSL Command Line Interface)
  • http://h71000.www7.hp.com/openvms/products/ssl/ssl.html (kit download)
• http://vouters.dyndns.org/tima/All-OS-OpenSSL-Setting-Secure-Communications.html (a c programming example which includes some really useful notes on how to create PEM files in three different host environments: Windows, UNIX, and OpenVMS)

OpenSSL for OpenVMS (not sanctioned by H/P)

• http://polarhome.com/openssl/ - they have both binary file (smaller) and source file (larger) versions.
  Okay so every time I connect to this Swedish hacker site I think about "The Girl With the Dragon Tattoo" by Stieg Larsson

OpenVMS OpenSSL Example Code, Simplified API Library for BASIC, Fortran (e.g. wrappers)

• http://labs.hoffmanlabs.com/node/1853

SSL (general) 

• http://www.openssl.org/ (the industry-wide home of OpenSSL)
• http://en.wikipedia.org/wiki/Transport_Layer_Security (a.k.a. SSL/TLS)
• http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
• http://technet.microsoft.com/en-us/library/cc781800(v=ws.10).aspx (SSL/TLS in Windows Server 2003)
• http://en.wikipedia.org/wiki/Public_key_infrastructure (a.k.a. PKI)
• http://en.wikipedia.org/wiki/X.509 (a.k.a. X.509)
• http://tools.ietf.org/html/rfc5246 (a.k.a. rfc-5246)
• http://www.debian-administration.org/articles/618 - Certificate Authority (CA) with OpenSSL

OpenSSL for Windows

•  because many times you can learn more by connecting to an OpenVMS or UNIX platform from your PC
  • If you only have one OpenVMS platform then you have no other choice
  • In a pinch, you can put two PCs back-to-back (openssl s_server on one, openssl c_client on the other)
  • In a real pinch you can run server and client on the same machine but it's not really the same
• http://www.slproweb.com/products/Win32OpenSSL.html  - very high quality work from Shining Light Productions; please donate a few bucks if you can
• http://gnuwin32.sourceforge.net/packages/openssl.htm

Compaq C Run-Time Library Reference Manual for OpenVMS Systems

• http://h71000.www7.hp.com/commercial/c/docs/5763p.html
• http://h71000.www7.hp.com/commercial/c/docs/5763pidx.html
• http://h71000.www7.hp.com/commercial/c/docs/5763ptoc.html
• http://h71000.www7.hp.com/commercial/c/docs/5763p067.html#index_x_1837 - SELECT
• http://h71000.www7.hp.com/commercial/c/docs/5763p068.html#index_x_1856 - SOCKET

Back to OpenVMS
 Back to Home
 Neil Rieck
 Kitchener - Waterloo - Cambridge, Ontario, Canada.