Contact Us Contact Us
United States-English

OpenSSL
  Software Depot
Electronic download
Frequently asked questions
HP Inc. Software Depot
Provide site feedback
Provide site feedback
Sign up to get product updates, drivers and support alerts
Sign up to get product updates, drivers and support alerts
Product details and specifications
Select
Overview

HP-UX 11i operating systems implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols using the OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/).

That toolkit is based on cryptographic software written by Eric Young (eay@cryptsoft.com), for which documentation has been written by Tim Hudson (tjh@cryptsoft.com).

The OpenSSL versions A.01.00.01p.001, A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003 from HP supporting HP-UX 11i operating systems include 0.9.7m, 0.9.8zf, 1.0.1p (HP-UX 11i v3 Integrity only), fips_1_1_2(based on 0.9.7m), fips_1_2(based on 0.9.8zf) and fips_2_0_5 (based on OpenSSL 1.0.1p and available on HP-UX 11i v3 Integrity only).

If you have Internet Express OpenSSL version 0.9.7c installed on your system, you cannot upgrade to this release of OpenSSL.

You must remove the Internet Express OpenSSL 0.9.7c software before installing OpenSSL version A.01.00.01p.001, A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003.

 

Note:

When you upgrade an existing HP-UX OpenSSL installation, the current OpenSSL master configuration file, openssl.cnf is left intact. User installations might have edited versions of this configuration file, based on the environment. This file is preserved, and it is not updated or removed by upgrading to the new version.

 

Open SSL features

OpenSSL FIPS

Federal Information Processing Standard (FIPS) 140-2 OpenSSL libraries are part of the OpenSSL product. For more information about FIPS 140-2, see the following web address: https://www.openssl.org/docs/fips/

 

Important:

The FIPS code is certified only if it is identical with the source code released by the OpenSSL website. In the event of security vulnerability, HP cannot modify the source code because a modification of the source code can invalidate the certification.

If vulnerability is found in the FIPS code, HP will wait until openssl.org releases a new FIPS 140-2 certified FIPS module before updating the HP OpenSSL product with the new FIPS code.

 

The prngd Random Number Generator for HP-UX 11i v1

HP-UX OpenSSL versions from 0.9.7d onwards provide a random number generator for HP-UX 11i v1. The Random Number Generator can also be used for generating self-signed host certificates automatically. Internet Express OpenSSL version 0.9.7c did not provide these components.

OpenSSL A.00.09.07m and higher rely on random numbers for generating cryptographic keys and digital signatures. You must have a strong random number generator to provide secure and non-reproducible keys and certificates. You can use /dev/urandom/dev/random or /opt/openssl/prngd/prngd to generate random numbers.

OpenSSL looks for the random number generator in the system in the following order:

  • /dev/urandom
  •  /dev/random
  • /opt/openssl/prngd/prngd

If none of the three random number generators is available, OpenSSL returns an error while executing cryptographic functions. To prevent this situation, OpenSSL A.00.09.07m and higher versions for HP-UX 11i v1 include the /opt/openssl/prngd/prngd random number generator. The HP-UX 11i v2 and HP-UX 11i v3 operating systems contain /dev/random by default and do not require /opt/openssl/prngd/prngd.

Random number generation using /dev/urandom or /dev/random is faster than using /opt/openssl/prngd/prngd. However, prngd is automatically used by the appropriate OpenSSL function when /dev/urandom or /dev/random is not installed on the system.

 

HP-UX 11i v1 users can download /dev/random from:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

The prngd server reads HP-UX commands from the prngd.conf file, computes random numbers based on certain parameters, and then writes the computed random numbers to an HP-UX socket located in the /var/run/egd-pool directory. OpenSSL functions can connect to and read random numbers from this socket.

 

Automatically Generated Self-Signed Host Certificate

An SSL-enabled server requires a host certificate that identifies the server. A certificate is a document that contains information such as the host ID, the name and ID of the Certificate Authority, and the expiration date of the certificate. Before you can deploy an SSL-enabled server for production, it must acquire a certificate signed by a legitimate Certificate Authority (for example, a digital certificate issued by VeriSign). However, for testing purposes, the certificate can also be self-signed (by the application generating the certificate). Normally, self-signed certificates are used for testing and certification of SSL-enabled servers. Setting up a certificate hierarchy can initially consume a lot of time. Therefore, if a self-signed certificate is readily available, you can direct your SSL-server to this certificate.

OpenSSL automatically generates a self-signed host certificate and a private key. The host certificate is stored as /opt/openssl/certs/host.pem, and the private key of the host certificate is stored as /opt/openssl/private/hostkey.pem. The subject name of the certificate is as follows:

C=US, ST=CA, L=City, O=Company, CN=localhost/emailAddress=www@localhost

You can also generate a self-signed host certificate using the following command:

openssl req -new -x509 -out /opt/openssl/certs/host.pem -keyout /opt/openssl/private/hostkey.pem -nodes -subj /C=US/ST=CA/L=City/O=Company/CN=localhost/emailAddress=www@localhost

 

OpenSSL security features

OpenSSL versions A.01.00.01p.001, A.00.09.08zf.001, A.00.09.08zf.002, A.00.09.08zf.003 support the following security features:

  • Ciphers
  • Message digest
  • Public key encryption
  • Certificates
  • Encoding

Availability of OpenSSL on HP-UX operating systems

Table 1 lists the versions of OpenSSL available on HP-UX operating systems.

OpenSSL versions

Operating system

OpenSSL 0.9.7

HP-UX 11i v1, v2,v3/HP9000

OpenSSL 0.9.8

HP-UX 11i v1,v2, v3

OpenSSL 1.0.1

HP-UX 11i v3/Integrity

 

Please note: Support for OpenSSL 0.9.8 on HP-UX 11i v1, v2 and v3 has reach end of support on Dec 31st 2015.  

Please upgrade to the latest version of OpenSSL 1.0.1 on HP-UX 11i v3/Integrity. Please also note that OpenSSL 1.0.1 will reach end of support by Dec 31st 2016.

 

Product Documentation

The product documentation available for OpenSSL includes the Manpages and Release Notes.

The OpenSSL A.01.00.01p.001, A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003 Release Notes is available at http://www.hp.com/go/hpux-security-docs

 
Additional product information
Product #: OPENSSL11I
Version: A.01.00.01P.001;A.00.09.08zf.00x
Software specification: OpenSSL_A.01.00.01p.001_HP-UX_B.11.31_IA_PA.depot
OpenSSL_A.00.09.08zf.001_HP-UX_B.11.11_32_64.depot
OpenSSL_A.00.09.08zf.002_HP-UX_B.11.23_IA_PA.depot
OpenSSL_A.00.09.08zf.003_HP-UX_B.11.31_IA_PA.depot
OpenSSL Release Notes for Versions A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003 (762808-008.pdf)
OpenSSL Release Notes for Version A.01.00.01p.001, HP-UX 11i v3 (828902-002.pdf)
Installation
Select