TL;DR The latest VSI OpenSSL kits should be fine for pre-V8.4 systems.
Prompt VSI attention to OpenSSL releases reduces the need for
WASD-specific OpenSSL builds so these will no longer be released.
Recently OpenSSL eliminated a VMS V8.4 dependency for their build.
https://github.com/openssl/openssl/pull/18730#issue-1295104363
This has migrated into the OpenSSL 1.1.1s and 3.0.7 releases recently built
and released by VSI as
https://vmssoftware.com/products/ssl111/
https://vmssoftware.com/products/ssl3/
The show-stopping ACCVIO access to $GETTIM_PREC on pre-V8.4 systems no longer
happens if the earlier VSI kits were (experimentally) forced to install.
This means that systems not ungraded/upgradable to V8.4 may have access to
the latest OpenSSL releases and fixes.
To prove this to myself the kits were both successfully applied, passed IVP,
and the OPENSSL application used to access eisner.decus.org, on an OpenVMS
Alpha V8.3 system (the least recent version I have access to). YMMV with
even earlier VMS versions.
|------------------------------------ ----------- ----------- --- -----------
|PRODUCT KIT TYPE OPERATION VAL DATE
|------------------------------------ ----------- ----------- --- -----------
|DEC AXPVMS VMS V8.3 Oper System Install (U) 10-JAN-2013
|VSI AXPVMS SSL3 V3.0-7 Full LP Install (M) 30-DEC-2022
|VSI AXPVMS SSL111 V1.1-1S Full LP Install (M) 30-DEC-2022
The only catch is (presumably) a VSI oversight in the PRODUCT INSTALL that
warns the product is only suitable for VMS V8.4, "Terminating is strongly
recommended. Do you want to terminate?". I replied "no" and as described
above the kits installed, passed IVP, finishing with a warning, "operation
completed after explicit continuation from errors".
Below are the (slightly redacted) installations of SSL111 and SSL3 along with
CLI demonstrations.
|$ product install ssl111
|
|Performing product kit validation of signed kits ...
|
|%PCSI-W-NOVALDONE, cannot validate ***:[***]VSI-AXPVMS-SSL111-V0101-1S-1.PCSI$COMPRESSED;1
|-PCSI-W-NOMANFILE, associated manifest file was not found in source directory
|Do you want to continue? [NO] y
|
|The following product has been selected:
| VSI AXPVMS SSL111 V1.1-1S Layered Product
|
|Do you want to continue? [YES]
|
|Configuration phase starting ...
|
|You will be asked to choose options, if any, for each selected product and for
|any products that may be installed to satisfy software dependency requirements.
|
|Configuring VSI AXPVMS SSL111 V1.1-1S: SSL111 for OpenVMS AXP V1.1-1S (Based on OpenSSL 1.1.1S)
|
| Copyright 2022 VMS Software, Inc.
|
|Do you want the defaults for all options? [YES]
|
|Do you want to review the options? [NO]
|
|Execution phase starting ...
|
|The following product will be installed to destination:
| VSI AXPVMS SSL111 V1.1-1S DISK$*****_SYS:[VMS$COMMON.]
|
|Minimum OpenVMS ALPHA software not found on system, abort installation
|
|This kit requires a minimum OpenVMS ALPHA version of V8.4-2L1.
|
|Terminating is strongly recommended. Do you want to terminate? [YES] no
|
|Portion done: 0%...10%...30%...50%...60%...70%...80%...90%...100%
|
|The following product has been installed:
| VSI AXPVMS SSL111 V1.1-1S Layered Product
|
|%PCSI-I-IVPEXECUTE, executing test procedure for VSI AXPVMS SSL111 V1.1-1S ...
|%PCSI-I-IVPSUCCESS, test procedure completed successfully
|
|VSI AXPVMS SSL111 V1.1-1S: SSL111 for OpenVMS AXP V1.1-1S (Based on OpenSSL 1.1.1S)
|
| Review the Installation Guide and Release Notes for post install directions.
|
| Review the Installation Guide and Release Notes for post upgrade verification suggestions.
|
| Refer to SYS$HELP:SSL111-S-AXP.RELEASE_NOTES for more information.
|%PCSIUI-I-COMPWERR, operation completed after explicit continuation from errors
And works in the real world ...
|$ @SSL111$ROOT:[COM]SSL111$UTILS.COM
|$ openssl version
|OpenSSL 1.1.1s 1 Nov 2022
|SSL111 for OpenVMS V1.1(1S) Dec 14 2022
|$ openssl s_client -connect eisner.decus.org:443
|CONNECTED(00000003)
|
|depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
|verify error:num=20:unable to get local issuer certificate
|verify return:1
|depth=1 C = US, O = Let's Encrypt, CN = R3
|verify return:1
|depth=0 CN = eisner.decus.org
|verify return:1
8< snip 8<
|---
|read R BLOCK
|closed
And OpenSSL version 3 ...
8< snip 8<
|The following product has been selected:
| VSI AXPVMS SSL3 V3.0-7 Layered Product
|
|Do you want to continue? [YES]
|
|Configuration phase starting ...
|
|You will be asked to choose options, if any, for each selected product and for
|any products that may be installed to satisfy software dependency requirements.
|
|Configuring VSI AXPVMS SSL3 V3.0-7: SSL3 for OpenVMS AXP V3.0-7 (Based on OpenSSL 3.0.7)
|
| Copyright 2022 VMS Software, Inc.
8< snip 8<
|%PCSI-I-IVPEXECUTE, executing test procedure for VSI AXPVMS SSL3 V3.0-7 ...
|%PCSI-I-IVPSUCCESS, test procedure completed successfully
8< snip 8<
|%PCSIUI-I-COMPWERR, operation completed after explicit continuation from errors
|$ @SSL3$ROOT:[COM]SSL3$UTILS.COM
|$ openssl version
|OpenSSL 3.0.7 9 Nov 2022 (Library: OpenSSL 3.0.7 9 Nov 2022)
|SSL3 for OpenVMS V3.0(7) Dec 14 2022 (Library: SSL3 for OpenVMS V3.0(7) Dec 14 2022)
|$ openssl s_client -connect eisner.decus.org:443
|CONNECTED(00000003)
|
|depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
|verify error:num=20:unable to get local issuer certificate
|verify return:1
|depth=1 C = US, O = Let's Encrypt, CN = R3
|verify return:1
|depth=0 CN = eisner.decus.org
|verify return:1
8< snip 8<
|---
|read R BLOCK
|closed
|