02-Jun-2017

Updates
#1: WordPress / Akismet: Without trouble. Startup updates to reflect the change.
#2: HP’s OpenSSL package – this could be the cause of problems with WASD 11.1. Just cheking whether this did the trick: I may need to redo the update procedure. 11.0 works with this new version, but 11.1 doesn’t when accessing one of the secured sites. Strange, however: in demo mode it DOES work, without rebuilding the server….
Current installation of OpenSSL:
$ sho sym openssl
OPENSSL == "$WASD_ROOT:[SRC.OPENSSL-1_0_2K.ALPHA.EXE.APPS]OPENSSL.EXE"
$ openssl version
OpenSSL 1.0.2k 26 Jan 2017

and after HP’s installation:
$ opensslHP :== $SSL$ROOT:[ALPHA_EXE]OPENSSL.EXE
OpenSSL 0.9.8zh 3 Dec 2015
SSL for OpenVMS V1.4 Feb 5 2016.
This should be the right version: I checked HPE.com, dile is version is 1.4-0503, installed today:
$ prod show hist
------------------------------------ ----------- ----------- --- -----------
PRODUCT                              KIT TYPE    OPERATION   VAL DATE
------------------------------------ ----------- ----------- --- -----------
HP AXPVMS SSL V1.4-503               Full LP     Install
     Val 04-JUN-2017
HP AXPVMS SSL V1.4-502               Full LP     Remove       -  04-JUN-2017
HP AXPVMS SSL V1.4-502               Full LP     Install
     Val 05-JAN-2016

But still, it won’t connect.
So I recreated the DH_keyfiles (512, 1024 and 2048 bit), and retried: Now it’s OK running the WASD version – using specifications I set up some time ago):

$ openssl s_client -connect www.grootersnet.nl:443
CONNECTED(00000003)

depth=0 C = NL, ST = UT, L = leusden, O = Grootersnet, OU = Webservices, CN = *.grootersnet.nl, emailAddress = system@grootersnet.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, ST = UT, L = leusden, O = Grootersnet, OU = Webservices, CN = *.grootersnet.nl, emailAddress = system@grootersnet.nl
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=NL/ST=UT/L=leusden/O=Grootersnet/OU=Webservices/CN=*.grootersnet.nl/emailAddress=system@grootersnet.nl
   i:/C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.8 Testing Only/CN=WASD VMS Hypertext Services/emailAddress=Mark.Dani
el@wasd.vsm.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=NL/ST=UT/L=leusden/O=Grootersnet/OU=Webservices/CN=*.grootersnet.nl/emailAddress=system@grootersnet.nl
issuer=/C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.8 Testing Only/CN=WASD VMS Hypertext Services/emailAddress=Mark.Da
niel@wasd.vsm.com.au
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2132 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5C66A91090EB2A8444AEB1AA30E8F7FA8EE674442E2EC4042E54E7FD05197FFB
    Session-ID-ctx:
    Master-Key: 1463D1FBAA5D6B2A7B052B15187FD0E01B784B8BFC5F1C7B678FCC1074B87C2C9E6CD49A30BAAD496CE23CCC3DA0937E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    Start Time: 1496607150
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
openssl s_client -connect www.grootersnet.nl:443
/
<HTMLglt;
<HEADglt;
<TITLEglt;ERROR 501 Not Implemented</TITLEglt;
</HEADglt;
<BODY LINK="#0000cc" VLINK="#0000cc"glt;
<FONT SIZE=+1glt;
<Bglt;ERROR 501</Bglt;  -  The requested action is not implemented by this server.
</FONTglt;
<Pglt;Additional information: 
<A HREF="/httpd/-/status1xx.html"glt;1<Iglt;xx</Iglt;</Aglt;, 
<A HREF="/httpd/-/status2xx.html"glt;2<Iglt;xx</Iglt;</Aglt;, 
<A HREF="/httpd/-/status3xx.html"glt;3<Iglt;xx</Iglt;</Aglt;, 
<A HREF="/httpd/-/status4xx.html"glt;4<Iglt;xx</Iglt;</Aglt;, 
<A HREF="/httpd/-/status5xx.html"glt;5<Iglt;xx</Iglt;</Aglt;, 
<A HREF="/httpd/-/statushelp.html"glt;Help</Aglt;
<Pglt;<HR WIDTH=85% ALIGN=left SIZE=2 NOSHADEglt;
<ADDRESSglt;WASD/11.1.0 Server at www.grootersnet.nl Port 443</ADDRESSglt;
</BODYglt;
</HTMLglt;closed
but now the HP version fails:
$ opensslHP s_client -connect www.grootersnet.nl:443
CONNECTED(00000005)
539100522:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:S23_CLNT:579:
$

but where I would expect I could access the secured sites, but that still fails. if this has to do with logical SSL$ROOT, it makes sense:
$ sho log ssl*

(LNM$PROCESS_TABLE)

(LNM$JOB_82670140)

(WASD_TABLE)

(LNM$GROUP_000001)

(LNM$SYSTEM_TABLE)

"SSL$CERT" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$CERTS" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$COM" = "SSL$ROOT:[COM]"
"SSL$CONF" = "SSL$ROOT:[DEMOCA.CONF]"
"SSL$CRL" = "SSL$ROOT:[DEMOCA.CRL]"
"SSL$EXAMPLES" = "SYS$COMMON:[SYSHLP.EXAMPLES.SSL]"
"SSL$EXE" = "SSL$ROOT:[Alpha_EXE]"
"SSL$INCLUDE" = "SSL$ROOT:[INCLUDE]"
"SSL$KEY" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$KEYS" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$PRIVATE" = "SSL$ROOT:[DEMOCA.PRIVATE]"
"SSL$ROOT" = "SYS$SYSDEVICE:[VMS$COMMON.SSL.]"

(LNM$SYSCLUSTER_TABLE)

(DECW$LOGICAL_NAMES)
$
Restart of the server makes no difference….Maybe I need to change a few things here.