OpenSSL

Electronic download

Frequently asked questions

HP-UX OE product information

HP Systems Insight Manager product information

HP-UX 11i operating systems implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols using the OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/). That toolkit is based on cryptographic software written by Eric Young (eay@cryptsoft.com), for which documentation has been written by Tim Hudson (tjh@cryptsoft.com).

The following OpenSSL versions from HP supporting HP-UX 11i operating systems, A.00.09.08l.001, A.00.09.08l.002, and A.00.09.08l.003, are based on versions 0.9.7m and 0.9.8l from http://www.openssl.org/. (See table 1 for contents of the depots)

If Internet Express OpenSSL version 0.9.7c is installed on your system, you cannot upgrade to this release of OpenSSL. You must remove Internet Express OpenSSL 0.9.7c software before installing OpenSSL versions A.00.09.08l.001, A.00.09.08l.002, and A.00.09.08l.003.

Note: When you upgrade an existing HP-UX OpenSSL installation, the current OpenSSL master configuration file, openssl.cnf is left intact. Typically, user installations include edited versions of this configuration file, based on their environment. This file is preserved, and it is not updated or removed by upgrading to the new version.

Note: HP provides software technical support for OpenSSL for only the latest, currently shipping version and the immediately prior version of the product.

Following lists and describes some OpenSSL features:

• Federal Information Processing Standard (FIPS) 140-2 OpenSSL libraries are part of the OpenSSL product. For more information about FIPS 140-2, see the following web address:
  http://www.oss-institute.org/index.php?option=com_content&task=blogcategory&id=84&Itemid=123

• FIPS 1.1.2 libraries are available for 0.9.7m and FIPS 1.2 libraries for 0.9.8l

  Important:

  The FIPS code is certified only if it is identical with the source code released by the Open Source Software Institute (OSSI) organization on the OpenSSL website. In the event of a security vulnerability, HP cannot modify the source code because a modification of the source code can invalidate the certification.

  If a vulnerability is found in the FIPS code, HP will wait until the OSSI organization releases a new FIPS 140-2 certified FIPS module before updating the HP OpenSSL product with the new FIPS code.

• HP-UX OpenSSL versions from 0.9.7d onwards provide a random number generator for HP-UX 11i v1. The Random Number Generator can also be used for generating self-signed host certificates automatically. Internet Express OpenSSL version 0.9.7c did not provide these components.
  

• The prngd Random Number Generator for HP-UX 11i v1

  OpenSSL A.00.09.07m and above rely on random numbers for generating cryptographic keys and digital signatures. A strong random number generator is necessary to provide secure and non-reproducible keys and certificates. You can use /dev/urandom, /dev/random, or /opt/openssl/prngd/prngd to generate random numbers.

  OpenSSL looks for the random number generator in the system in the following order:
  

  • /dev/urandom
  • /dev/random
  • /opt/openssl/prngd/prngd

  If none of the three random number generators is available on the system, OpenSSL returns an error while executing cryptographic functions. To prevent this situation, OpenSSL A.00.09.07m and above for HP-UX 11i v1 include the /opt/openssl/prngd/prngd random number generator. The HP-UX 11i v2 and HP-UX 11i v3 operating systems contain /dev/random by default; therefore, they do not require /opt/openssl/prngd/prngd.

  Random number generation using /dev/urandom or /dev/random is faster compared to /opt/openssl/prngd/prngd. However, prngd is automatically used by the appropriate OpenSSL function when /dev/urandom or /dev/random is not installed on the system. HP-UX 11i v1 users can download /dev/random from the following location:

  http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

  The prngd server reads HP-UX commands from the prngd.conf file, computes random numbers based on certain parameters, and writes the computed random numbers to an HP-UX socket located in the /var/run/egd-pool directory. OpenSSL functions can connect to and read random numbers from this socket.
  
  

• Automatically Generated Self-Signed Host Certificate

  An SSL-enabled server requires a host certificate that identifies the server. A certificate is a document that contains information such as the host ID, the name and ID of the Certificate Authority, and the expiry date of the certificate. Before you can deploy an SSL-enabled server for production, it must acquire a certificate signed by a legitimate Certificate Authority (for example, a digital certificate issued by Verisign). However, for testing purposes, the certificate can also be self-signed (by the application generating the certificate). Normally, self-signed certificates are used for testing and certification of SSL-enabled servers. Setting up a certificate hierarchy can initially consume a lot of time. Therefore, if a self-signed certificate is readily available, you can direct your SSL-server to this certificate.

  OpenSSL automatically generates a self-signed host certificate and a private key. The host certificate is stored as /opt/openssl/certs/host.pem, and the private key of the host certificate as /opt/openssl/private/hostkey.pem. The subject name of the certificate is as follows:

  C=US, ST=CA, L=City, O=Company, CN=localhost/emailAddress=www@localhost

  You can also generate a self-signed host certificate using the following command:

  openssl req -new -x509 -out /opt/openssl/certs/host.pem -keyout /opt/openssl/private/hostkey.pem -nodes -subj /C=US/ST=CA/L=City/O=Company/CN=localhost/emailAddress=www@localhost

OpenSSL Security Features

OpenSSL versions A.00.09.08l.001, A.00.09.08l.002, and A.00.09.08l.003 support the following security features:

• Ciphers
• Message Digest
• Public Key Encryption
• Certificates
• Encoding
• FIPS

Availability of OpenSSL on HP-UX operating systems

Table 1 lists the versions of OpenSSL available on HP-UX operating systems.

Table 1: Availability of OpenSSL on HP-UX 11i Operating Systems

Version of OpenSSL depot	Contents Summary	Operating System
A.00.09.08l.001	0.9.7m	HP-UX 11i v1
	32/64 bit archive/shared PA libraries OpenSSL command FIPS 32/64 bit archive PA libraries FIPS OpenSSL command
	0.9.8l
	32/64 bit archive/shared PA libraries OpenSSL command FIPS 32/64 bit archive/shared PA libraries FIPS OpenSSL command
A.00.09.08l.002	0.9.7m	HP-UX 11i v2
	32/64 bit archive/shared IA/PA libraries OpenSSL IA/PA command FIPS 32/64 bit archive IA/PA libraries FIPS OpenSSL IA/PAcommand
	0.9.8l
	32/64 bit archive/shared IA/PA libraries OpenSSL IA/PA command FIPS 32/64 bit archive/shared IA/PA libraries FIPS OpenSSL IA/PA command
A.00.09.08l.003	0.9.7m	HP-UX 11i v3
	32/64 bit archive/shared IA/PA libraries OpenSSL IA/PA command FIPS 32/64 bit archive IA/PA libraries FIPS OpenSSL IA/PAcommand
	0.9.8l
	32/64 bit archive/shared IA/PA libraries OpenSSL IA/PA command FIPS 32/64 bit archive/shared IA/PA libraries FIPS OpenSSL IA/PA command

Product Documentation

The product documentation available for OpenSSL includes the manpages and Release Notes. The OpenSSL A.00.09.08l.001, A.00.09.08l.002, and A.00.09.08l.003 Release Notes are available at: http://www.docs.hp.com/en/internet.html#OpenSSL