Contact Us Contact Us

OpenSSL

  Software Depot
Electronic download
Frequently asked questions
Product details and specifications
Select
Overview

HP-UX 11i operating systems implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/). This also contains a general purpose cryptography library.

That toolkit is originally based on cryptographic software written by Eric Young (eay@cryptsoft.com), for which documentation has been written by Tim Hudson (tjh@cryptsoft.com).

Note 1:

When you upgrade an existing HP-UX OpenSSL installation, the current OpenSSL master configuration file, openssl.cnf is left intact. User installations might have edited versions of this configuration file, based on the environment. This file is preserved, and it is not updated or removed by upgrading to the new version.

Note 2:

If you have Internet Express OpenSSL version 0.9.7c installed on your system, you cannot upgrade to this release of OpenSSL.
You must remove the Internet Express OpenSSL 0.9.7c software before installing OpenSSL version A.01.00.02r.001, A.01.00.01s.001, A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003.

Note 3:

This is the first release of OpenSSL 1.0.2r version on HP-UX 11i v3. These libraries are not backward compatible with the earlier version of OpenSSL 0.9.8 (and 0.9.7) libraries. Validate the applications using OpenSSL before using the depot in your production environment.

Note 4:

These are the known compatibility issues from OpenSSL version A.01.00.01s onwards,

  • By default, SSLv2 protocol is disabled.
  • By default, "EXPORT" or "LOW" strength ciphers in SSLv3 and later are disabled.

Before updating OpenSSL version A.01.00.01s and later, you must validate the above disabled protocol and ciphers in their environment/application. If any of the applications (or application using OpenSSL command line utility) are using the disabled protocol /ciphers, they might fail and needs to be changed before the migration. For more information, see OpenSSL advisory at https://openssl.org/news/secadv/20160301.txt.


Open SSL features

OpenSSL implements Secure Sockets Layer (SSL), Transport Layer Security (TLS) protocols and general-purpose cryptography library and contains the following security features:

  • Ciphers
  • Digests
  • Public key
  • Certificates
  • Encoding
  • Federal Information Processing Standard (FIPS)
  • Automatically Generated Self-Signed Host Certificate
For more information, see Release Notes available at http://www.hpe.com/info/hpux-security-docs.

 

OpenSSL FIPS

Federal Information Processing Standard (FIPS) 140-2 OpenSSL libraries are part of the OpenSSL product. For more information about FIPS 140-2, see https://www.openssl.org/docs/fips/.

FIPS capable open source OpenSSL version A.01.00.02r based on “FIPS Object Module” version 2.0.5 is provided on HP-UX Integrity systems. For more information and usage of FIPS capable OpenSSL, see /opt/openssl/fips/1.0/README.hp.

Important:

The FIPS code is certified only if it is identical with the source code released on the OpenSSL website. In the event of a security vulnerability, HPE cannot modify the source code because a modification of the source code can invalidate the certification.

If a vulnerability is found in the FIPS code, HPE will wait until the openssl.org releases a new FIPS 140-2 certified FIPS module before updating the HP-UX OpenSSL product with the new FIPS code.

 

The prngd Random Number Generator for HP-UX 11i v1

HP-UX OpenSSL versions from 0.9.7d onwards provide a random number generator for HP-UX 11i v1. The Random Number Generator can also be used for generating self-signed host certificates automatically. Internet Express OpenSSL version 0.9.7c did not provide these components.

OpenSSL A.00.09.07m and higher rely on random numbers for generating cryptographic keys and digital signatures. You must have a strong random number generator to provide secure and non-reproducible keys and certificates. You can use /dev/urandom/dev/random or /opt/openssl/prngd/prngd to generate random numbers.

OpenSSL looks for the random number generator in the system in the following order:

  • /dev/urandom
  • /dev/random
  • /opt/openssl/prngd/prngd

If none of the three random number generators are available, OpenSSL returns an error while executing cryptographic functions. To prevent this situation, OpenSSL A.00.09.07m and higher versions for HP-UX 11i v1 include the /opt/openssl/prngd/prngd random number generator. The HP-UX 11i v2 and HP-UX 11i v3 operating systems contain /dev/random by default and do not require /opt/openssl/prngd/prngd.

Random number generation using /dev/urandom or /dev/random is faster than using /opt/openssl/prngd/prngd. However, prngd is automatically used by the appropriate OpenSSL function when /dev/urandom or /dev/random is not installed on the system.

 

HP-UX 11i v1 users can download /dev/random from:

https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

The prngd server reads HP-UX commands from the prngd.conf file, computes random numbers based on certain parameters, and then writes the computed random numbers to an HP-UX socket located in the /var/run/egd-pool directory. OpenSSL functions can connect to and read random numbers from this socket.


Availability of OpenSSL on HP-UX operating systems

Table 1 lists the versions of OpenSSL available on HP-UX operating systems.

OpenSSL versions

Operating system

OpenSSL 0.9.7

HP-UX 11i v1, v2,v3/HP9000

OpenSSL 0.9.8

HP-UX 11i v1,v2, v3

OpenSSL 1.0.1

HP-UX 11i v3/Integrity

OpenSSL 1.0.2

HP-UX 11i v3

 

Please note: Support for OpenSSL 0.9.8 on HP-UX 11i v1, v2, and v3 ended on Dec 31st 2015. Note that OpenSSL 1.0.1 has reached end of support on Dec 31st 2016.  

Please upgrade to the latest version of OpenSSL 1.0.2 on HP-UX 11i v3.

 

Product Documentation

The product documentation available for OpenSSL includes the Manpages and Release Notes.

The OpenSSL A.01.00.02r.001, A.01.00.01s.001, A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003 Release Notes is available at http://www.hpe.com/info/hpux-security-docs.

 
Additional product information
Product #: OPENSSL11I
Version: A.01.00.02r.001;A.00.09.08zf.00x
Software specification: OpenSSL_A.01.00.02r.001_HP-UX_B.11.31_IA_PA.depot
OpenSSL_A.01.00.01s.001_HP-UX_B.11.31_IA_PA.depot
OpenSSL_A.00.09.08zf.001_HP-UX_B.11.11_32_64.depot
OpenSSL_A.00.09.08zf.002_HP-UX_B.11.23_IA_PA.depot
OpenSSL_A.00.09.08zf.003_HP-UX_B.11.31_IA_PA.depot
OpenSSL Release Notes for Versions A.00.09.08zf.001, A.00.09.08zf.002, and A.00.09.08zf.003 (762808-008.pdf)
OpenSSL Release Notes for Version A.01.00.01s.001, HP-UX 11i v3 (828902-004.pdf)
Installation
Select