topic Re: SHA1 encryption under OpenSSL in Operating System - OpenVMS

SHA1 encryption under OpenSSL

Paolo_c — Fri, 21 Oct 2016 14:25:48 GMT

Hi , I understand that SHA1 encryption used with OpenSSL . is due to expire shortly, and wondering if this will impact upon any of the applications running on our OpenVMS system. Although I can see some OpenSSL executables on our system below, it doesnt look as if the product is fully installed ,(inc any openssl startup files or any applications accessing these files ), so assuming its safe to assume that we're not using OpenSSL for encryption and that we wont have to consider migrating to SHA2. encryption ?

Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.SSL]

OPENSSL-VMS.CNF;1
17 18-MAR-2010 21:49:58.35 [SYSTEM (RWED,RWED,RE,RE)
OPENSSL-VMS.CNF_TEMPLATE;1
17 18-MAR-2010 21:49:58.35 [SYSTEM (RWED,RWED,RE,RE)
OPENSSL.CNF;1 20 18-MAR-2010 21:49:58.37 [SYSTEM (RWED,RWED,RE,RE)
OPENSSL.CNF_TEMPLATE;1
20 18-MAR-2010 21:49:58.37 [SYSTEM (RWED,RWED,RE,RE)

Total of 4 files, 74 blocks.

Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.SSL.DOC]

OPENSSL.TXT;1 92 8-MAR-2007 09:26:14.24 [SYSTEM (RWED,RWED,RE,RE)

Total of 1 file, 92 blocks.

Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.SSL.IA64_EXE]

OPENSSL.EXE;1 9340 18-MAR-2010 20:22:44.34 [SYSTEM (RWED,RWED,RE,RE)

Total of 1 file, 9340 blocks.

Directory SYS$SYSDEVICE:[SYS0.SYSCOMMON.SSL.INCLUDE]

OPENSSLCONF.H;1 15 18-MAR-2010 18:28:12.53 [SYSTEM (RWED,RWED,RE,RE)
OPENSSLV.H;1 8 18-MAR-2010 17:04:29.51 [SYSTEM (RWED,RWED,RE,RE)

Total of 2 files, 23 blocks.

Directory SYS$SYSDEVICE:[VMS$COMMON.SSL]

Total of 4 files, 74 blocks.

Directory SYS$SYSDEVICE:[VMS$COMMON.SSL.DOC]

OPENSSL.TXT;1 92 8-MAR-2007 09:26:14.24 [SYSTEM (RWED,RWED,RE,RE)

Total of 1 file, 92 blocks.

Directory SYS$SYSDEVICE:[VMS$COMMON.SSL.IA64_EXE]

OPENSSL.EXE;1 9340 18-MAR-2010 20:22:44.34 [SYSTEM (RWED,RWED,RE,RE)

Total of 1 file, 9340 blocks.

Directory SYS$SYSDEVICE:[VMS$COMMON.SSL.INCLUDE]

OPENSSLCONF.H;1 15 18-MAR-2010 18:28:12.53 [SYSTEM (RWED,RWED,RE,RE)
OPENSSLV.H;1 8 18-MAR-2010 17:04:29.51 [SYSTEM (RWED,RWED,RE,RE)

Total of 2 files, 23 blocks.

Grand total of 8 directories, 16 files, 19058 blocks.

Re: SHA1 encryption under OpenSSL

Dennis Handly — Sat, 22 Oct 2016 21:13:41 GMT

FYI: Technically SHA1 and SHA2 are a hash or digest, not the cipher itself.

Re: SHA1 encryption under OpenSSL

Paolo_c — Tue, 25 Oct 2016 08:55:09 GMT

FYI: Technically SHA1 and SHA2 are a hash or digest, not the cipher itself.

Okay but just wondering how we can establish, in advance, whether we will be impacted by loss of SHA1 encryption under OpenSSL . i understand that HP Openview operations agent for OpenVMS (OVA) and HP System management (SMH) - (both of which we use) , are reliant on SSL but not sure how to ascertain whether the loss of SHA1 encryption under OpenSSl will have any impact on this s/ware and/or any certificates currently installed ? We currently have the following versions of SSL installed on our live Alpha/Integrity Servers running OpenVMS, and so wondering whether any potential issues would be addressed by upgrading to (latest ?) version HP SSL1 V 1.0 (mentioned in the following article.) although note that HP SSL1 V1.0 is only compatible with OpenVMS 8.4.

http://h41379.www4.hpe.com/openvms/products/ssl/ssl.html

p.s We curently have the following versions of SSL / VMS installed

OpenVMS SSL

------------------------------------------------------------------------

AXPVMS OPENVMS V8.3 V 1.3-281

I64VMS 8.3-1H1 V 1.3-284

I64VMS OPENVMS V8.4 V 1.4-334

I64VMS OPENVMS V8.4 V1.4-334

Re: SHA1 encryption under OpenSSL

Steven Schweda — Tue, 25 Oct 2016 13:57:41 GMT

> [...] it doesnt look as if the product is fully installed ,(inc any
> openssl startup files or any applications accessing these files ), [...]

Where did you look? To see what's installed:
product show product *ssl*

Around here, I see start-up files: SYS$STARTUP:*ssl*.com

> [...] wondering if this will impact upon any of the applications
> running on our OpenVMS system. [...]

Some of us have little idea which applications are running on your
OpenVMS system.

Re: SHA1 encryption under OpenSSL

Paolo_c — Wed, 26 Oct 2016 08:08:35 GMT

Thanks for the feedback,

OpenVMS SSL
------------------------------------------------------------------------
AXPVMS OPENVMS V8.3 V 1.3-281
I64VMS 8.3-1H1 V 1.3-284
I64VMS OPENVMS V8.4 V 1.4-334
I64VMS OPENVMS V8.4 V1.4-334

Where did you look? To see what's installed:
product show product *ssl*

Around here, I see start-up files: SYS$STARTUP:*ssl*.com

> If you look at the previous update I posted to this call, you'll see that we do have SSL installed on all of our Integrity/Alpha VMS boxes. below.. My original comments referred to OpenSSL not SSL (as I making the incorrect assumption that OpenSSL and SSL aren't interlinked).

HP I64VMS SSL V1.4-334

HP AXPVMS SSL V1.3-281

HP I64VMS SSL V1.3-284

> [...] wondering if this will impact upon any of the applications

> running on our OpenVMS system. [...]

Some of us have little idea which applications are running on your
OpenVMS system.

> The only "application" I can see on our systems which appears to reference SSL is HP OpenView Operations Agent for OpenVMS (OVA) and so wondering whether this is likely to be affected by the potential issue surrouding SHA1 encryption expiring ? I note that HPE SSL1 1.02h is the latest product available for systems running OpenVMS 8.4 so wondering whether this would address any potential issues and/or whether we need to consider migrating to SSH2 encryption ? We also have some Alpha Systems running OpenVMS 8.3 (which also run OpenView Operations Agent for OpenVMS - OVA), so given that we cant upgrade to HP SS1 (without upgrading to OpenVMS 8.4) , wondering if we're likely to suffer any associated issues when SSH1 encryption expires ?