HPE Community
Operating System - HP-UX
1837562 Members
3370 Online
110117 Solutions
New Discussion

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

 
SOLVED
Go to solution
XPEN-Paul
Visitor

Wednesday

Wednesday

HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

Apologies if I've missed this somewhere when seraching the forums ...

I need to upgrade openSSL, looking to go from 1.0.2u to 3.015 (or 3.017), but can't seem to find any useful/helpful information on the required coniguration changes to sendmail.  I keep seeing notes about using STARTTLS, and have already tested connection to customer's Exchange server to illicit STARTTLS prompt from it - which seems to work okay.
Any of you good and great people out there been thorugh this upgrade process (actually getting openSSL package onto the server is fine - I'm familiat enough with swinstall, and have taken note where it says you need to first uninstall the old openSSL (otherwise you're certain to run into problems)) - it's just all the bits post package install, about creating required SSL certificates and changes required to sendmail.cf (and others?) that I'm truggling to find information about.

Many thanks
Paul

Reply
5 REPLIES 5
Steven Schweda
Honored Contributor

Friday

Friday

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

> [...] Any of you good and great people out there been thorugh this
> upgrade process [...]

   Not I.  I haven't used sendmail in decades (before TLS), so I know
nothing, but...

   It's not obvious to me that you'd need to make any changes to the
sendmail certificate configuration because of an OpenSSL version change.
Unless the certificates were created using some algorithm which is now
obsolete/unsupported-by-OpenSSL, I'd expect them to be as valid with a
new OpenSSL as they were with the old one.  (But what do I know?)

   The worry that _I_ would have is that if your current sendmail
program was linked (non-static) with an old version of OpenSSL, and
you're _removing_ that old version of OpenSSL, that your old sendmail
program might not work with the new version of OpenSSL.  I believe that
there have been more than a few API changes between OpenSSL 1.0.x and
OpenSSL 3.0.x, so your old sendmail program might not work as expected
on a system with (only) a new (shared-object) OpenSSL kit.

   I'd expect that a newer sendmail program built/compatible with
OpenSSL 3.0.x would have a better chance of running than your old one.
You'd need to check whether your old certificates would be compatible
with the newer sendmail program, but I'd still doubt that a newer
OpenSSL (itself) would be the cause of problems there.

   Perhaps someone with actual knowledge will join the discussion, and
straighten out my potential (probable?) misunderstandings.

Reply
XPEN-Paul
Visitor

Monday

Monday

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

Hi Steven and thanks for responding.

A separately logged call with HPE themselves seems to be suggesting I just try upgrading sendmail package first (they've given some info about checking version of openSSL that's already in use, but the version numbers they're quoting don't seem to tally with what's installed on the customer's server at all).

First for me will be trying to upgrade sendmail on one of their dev/test servers I've access to.

I'll leave this query open here, pending anyone else commenting.

Regards
Paul

0 Kudos
Reply
XPEN-Paul
Visitor

Monday

Monday

Solution

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

Hi again Steven.

Right - now I've finally gotten someone at HPE Support to show me the required combination of versions between sendmail and openssl, it actually appears that my customer already has a matching pair ... being sendmail C.8.15.2.3 and with openssl 1.0.2u

Next port of call for me now is to look at changing the existing sendmail configuration over to start using TLS 1.2, so my search is now changing to look for guides/notes anywhere on achieving this

Reallty appreciate you taking the time to respond - thanks again!

 

0 Kudos
Reply
Steven Schweda
Honored Contributor

Monday

Monday

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

> [...] my customer already has a matching pair ... being sendmail
> C.8.15.2.3 and with openssl 1.0.2u

   Ok, but OpenSSL 1.0.2[u] might not be a good base upon which to
build.

      https://openssl-library.org/news/vulnerabilities-1.0.2/

      OpenSSL 1.0.2 is out of support since 1st January 2020 and is no
      longer receiving updates.

I presume that that sendmail version itself is similarly obsolete.

   If you're getting your sendmail kit from HPE, then it might be linked
static with some particular (known-compatible) version of OpenSSL.  In
that case, it would be self-contained, and not affected by any
user-installed OpenSSL kit.  That would also mean that you should worry
about installing some sufficiently modern version of sendmail, and not
about installing any particular version of OpenSSL.

   _If_ you were building sendmail from a _source_ kit, _then_ you would
need to worry about with which OpenSSL kit you were linking it.

> Next port of call [...]

   Knowing nothing, I'd start by looking for a non-obsolete version of
sendmail, and then looking at its documentation to see how to configure
it.  With an eye toward whether the existing configuration still makes
sense for the newer sendmail version.

Reply
XPEN-Paul
Visitor

yesterday

yesterday

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

Hi Steven and thanks for your input here.

HPE has indicated that this should work, given we’re on compatible versions of sendmail and openssl at present.

I’ve done changes to create new sendmail.cf and submit.cf for STARTTLS, along with creating new CA and server certificates, but currently awaiting HPE response to an issue when I restart sendmail, whereby it complains STARTTLS cannot see a valid /dev/urandom (which does exist, along with /dev/random, which I’ve also tried setting in the config).

Customer has further complicated matters this morning, by coming back with a comment that they’re about to change their mail system around anyway, moving to Exchange Online and decommissioning the current set of load-balanced servers! Best laid plans eh? I can foresee a ‘lively discussion’ is about to happen between customer’s Infosec and Infrastructure teams, as to which order things need to now happen (and especially when, as they’re also now supposed to be in pre-Christmas “Golden Quarter” lockdown from any bar emergency changes now until January 2026)!

Regards
Paul

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.