HPE Community
Operating System - OpenVMS
1752821 Members
3935 Online
108789 Solutions
New Discussion юеВ

Re: Using SSL with sockets on VMS

 
David Froble
Occasional Advisor

тАО04-23-2008 01:10 PM

тАО04-23-2008 01:10 PM

Using SSL with sockets on VMS

I've got some applications using socket communications, using the system services interface on VMS.

My new task is to enable the use of SSL with select socket communications.

My plan is to determine the requirement for a secure connection when a listener gets a connection request, then open a communications socket using the requested protocols, if that particular protocol is allowed. (Whether my plan is viable, I have yet to discover.)

My problem is finding any documentation on the use of SSL with sockets.

I have looked at the latest copy of "HP TCP/IP Services for OpenVMS Sockets API and System Services Programming" on the documentation site, and cannot find any reference to SSL.

If someone could direct me to appropriate documentation, it would be appreciated. (My web search skills are very poor, and, I do not have a high speed connection.)

If someone could also provide some helpful information on set-up of SSL on VMS V8.3, things needed to be done, and such, that also would be appreciated.
0 Kudos
Reply
13 REPLIES 13
Richard Whalen
Honored Contributor

тАО04-23-2008 01:18 PM

тАО04-23-2008 01:18 PM

Re: Using SSL with sockets on VMS

The SSL libraries are a port of OpenSSL and you can find online documentation at http://www.openssl.org/docs/
O'Reilly publishes a good book on using OpenSSL: Network Security with OpenSSL. http://www.amazon.com/Network-Security-OpenSSL-John-Viega/dp/059600270X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1208985385&sr=8-1

You may have to write your own BIO routines if you exchange some I/O before deciding that the connection should be encrypted.
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО04-23-2008 04:32 PM

тАО04-23-2008 04:32 PM

Re: Using SSL with sockets on VMS

If you're desperate for some example code, I
believe that (my) wget for VMS has some (and
may even work). I haven't really looked at
it, but it seems to be there, and I believe
that I did a couple of "https://" tests (long
ago).
0 Kudos
Reply
David Froble
Occasional Advisor

тАО04-23-2008 05:39 PM

тАО04-23-2008 05:39 PM

Re: Using SSL with sockets on VMS

I'm not working in C. The OpenSSL documentation sort of implies that I need C type header file(s).

But my questions are a bit more basic (sic) than how to use the SSL routines.

Does an application actually have to call the various SSL routines to encrypt and decrypt? I was sort of hoping that SSL was used by TCP/IP, such that I'd set a flag on a socket, and TCP/IP would transparently do the SSL stuff. So the question is, am I dreaming of a capability that does not exist ?

My applications are written in DEC Basic. I'd sort of hoped that I would not have to re-create the C header files definitions in Basic, nor work out how to call the SSL routines from a language other than C.

Sort of gets back to my original question. Does HP have and documentation specific to using SSL in VMS ??
0 Kudos
Reply
Richard Brodie_1
Honored Contributor

тАО04-24-2008 02:15 AM

тАО04-24-2008 02:15 AM

Re: Using SSL with sockets on VMS

The SSL documentation is in the base VMS documentation set:
http://h71000.www7.hp.com/doc/83FINAL/BA554_90007/index.html

"I was sort of hoping that SSL was used by TCP/IP, such that I'd set a flag on a socket, and TCP/IP would transparently do the SSL stuff. So the question is, am I dreaming of a capability that does not exist ? "

That would be closer to IPsec, rather than SSL.
0 Kudos
Reply
Richard Whalen
Honored Contributor

тАО04-24-2008 02:22 AM

тАО04-24-2008 02:22 AM

Re: Using SSL with sockets on VMS

When using SSL you generally replace your calls to TCP/IP routines with calls to SSL routines. The SSL routines will then use either built in or your own routines to write the encrypted data over the TCP/IP connection.
0 Kudos
Reply
David Froble
Occasional Advisor

тАО04-24-2008 08:57 AM

тАО04-24-2008 08:57 AM

Re: Using SSL with sockets on VMS

Ok, found the documentation. Thanks Richard. For some reason my searches ended up with 8.2 documentation, not 8.3 documentation.

It's becoming apparent to me that this is not going to be a "plug in SSL and use it" thing. Would somebody pass the bottle of aspirin please.

Some more questions:

When an incoming connection request, from a client wishing a secure connection, it seems to me that that connection request itself cannot be secure, since the SSL handshake has not yet occurred. What is there in a connection request that asks for a secure connection ?

Or should the listener be handling this logic ?

Is there any information, anywhere, of using SSL on VMS from any language other than C ?

Data structure definitions ?
0 Kudos
Reply
Richard Whalen
Honored Contributor

тАО04-24-2008 11:53 AM

тАО04-24-2008 11:53 AM

Re: Using SSL with sockets on VMS

If having a secure connection is optional, then it is necessary for the client and server to come to an agreement on this before they call the SSL_do_handshake routine. One model you could look at is RFC 4217 (Securing FTP with TLS). http://www.ietf.org/rfc/rfc4217.txt?number=4217 Specifically the AUTH TLS command.

(Open)SSL comes to us from the Unix world, where C is the primary language. You may end up having to create a couple of C modules that handle the interface between your program and SSL. This could also help keep the overall code easier to read as it would hide most of the mechanics of SSL.
0 Kudos
Reply
Hoff
Honored Contributor

тАО04-24-2008 12:34 PM

тАО04-24-2008 12:34 PM

Re: Using SSL with sockets on VMS

If the data rates and the environment permits it, migrating the existing IP connections over to an outboard VPN device might be a reasonable alternative. Minimal (or no) changes to the host code would be required.
0 Kudos
Reply
Richard J Maher
Trusted Contributor

тАО05-03-2008 03:16 PM

тАО05-03-2008 03:16 PM

Re: Using SSL with sockets on VMS

Hi David,

I see no one has yet mentioned "Stunnel" (versions of which are available for VMS). Basically it sit's on port X and does the SSL and then redirects the messages to your non-SSL port Y. DoS attacks being a bit problematic :-( It also doesn't support OOB data but I'm sure I've seen and SSL RFC somewhere that says OOB data is included in the standard?

You may also wish to look at Process Software's IPsec which has been available for some years now. As long as you have fixed IP addresses then I don't see a problem with it. UCX has also been promising to come out with a version of IPsec for as long as I can remember but to-date have only come out with a "Early Adopters Kit" whose very name has left the more cautious in the user-base a tad unwilling to embrace it.

IPsec is the future! (As soon as the usual System/Network management inertia is overcome :-)

No more SFTP/FTPs, SSH, 80/443. . .

Cheers Richard Maher
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.