HPE Community
Operating System - HP-UX
1837239 Members
2191 Online
110115 Solutions
New Discussion

HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

 
XPEN-Paul
Occasional Visitor

Wednesday

Wednesday

HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

Apologies if I've missed this somewhere when seraching the forums ...

I need to upgrade openSSL, looking to go from 1.0.2u to 3.015 (or 3.017), but can't seem to find any useful/helpful information on the required coniguration changes to sendmail.  I keep seeing notes about using STARTTLS, and have already tested connection to customer's Exchange server to illicit STARTTLS prompt from it - which seems to work okay.
Any of you good and great people out there been thorugh this upgrade process (actually getting openSSL package onto the server is fine - I'm familiat enough with swinstall, and have taken note where it says you need to first uninstall the old openSSL (otherwise you're certain to run into problems)) - it's just all the bits post package install, about creating required SSL certificates and changes required to sendmail.cf (and others?) that I'm truggling to find information about.

Many thanks
Paul

Reply
1 REPLY 1
Steven Schweda
Honored Contributor

yesterday

yesterday

Re: HP-UX 11.31 openSSL upgrade required to utilise >= TLS 1.2 to MS Exchange

> [...] Any of you good and great people out there been thorugh this
> upgrade process [...]

   Not I.  I haven't used sendmail in decades (before TLS), so I know
nothing, but...

   It's not obvious to me that you'd need to make any changes to the
sendmail certificate configuration because of an OpenSSL version change.
Unless the certificates were created using some algorithm which is now
obsolete/unsupported-by-OpenSSL, I'd expect them to be as valid with a
new OpenSSL as they were with the old one.  (But what do I know?)

   The worry that _I_ would have is that if your current sendmail
program was linked (non-static) with an old version of OpenSSL, and
you're _removing_ that old version of OpenSSL, that your old sendmail
program might not work with the new version of OpenSSL.  I believe that
there have been more than a few API changes between OpenSSL 1.0.x and
OpenSSL 3.0.x, so your old sendmail program might not work as expected
on a system with (only) a new (shared-object) OpenSSL kit.

   I'd expect that a newer sendmail program built/compatible with
OpenSSL 3.0.x would have a better chance of running than your old one.
You'd need to check whether your old certificates would be compatible
with the newer sendmail program, but I'd still doubt that a newer
OpenSSL (itself) would be the cause of problems there.

   Perhaps someone with actual knowledge will join the discussion, and
straighten out my potential (probable?) misunderstandings.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.