Updates
#1: WordPress / Akismet: Without trouble. Startup updates to reflect the change.
#2: HP’s OpenSSL package – this could be the cause of problems with WASD 11.1. Just cheking whether this did the trick: I may need to redo the update procedure. 11.0 works with this new version, but 11.1 doesn’t when accessing one of the secured sites. Strange, however: in demo mode it DOES work, without rebuilding the server….
Current installation of OpenSSL:
$ sho sym openssl
OPENSSL == "$WASD_ROOT:[SRC.OPENSSL-1_0_2K.ALPHA.EXE.APPS]OPENSSL.EXE"
$ openssl version
OpenSSL 1.0.2k 26 Jan 2017
and after HP’s installation:
$ opensslHP :== $SSL$ROOT:[ALPHA_EXE]OPENSSL.EXE
OpenSSL 0.9.8zh 3 Dec 2015
SSL for OpenVMS V1.4 Feb 5 2016.
This should be the right version: I checked HPE.com, dile is version is 1.4-0503, installed today:
$ prod show hist
------------------------------------ ----------- ----------- --- -----------
PRODUCT KIT TYPE OPERATION VAL DATE
------------------------------------ ----------- ----------- --- -----------
HP AXPVMS SSL V1.4-503 Full LP Install
Val 04-JUN-2017
HP AXPVMS SSL V1.4-502 Full LP Remove - 04-JUN-2017
HP AXPVMS SSL V1.4-502 Full LP Install
Val 05-JAN-2016
But still, it won’t connect.
So I recreated the DH_keyfiles (512, 1024 and 2048 bit), and retried: Now it’s OK running the WASD version – using specifications I set up some time ago):
$ openssl s_client -connect www.grootersnet.nl:443
CONNECTED(00000003)
depth=0 C = NL, ST = UT, L = leusden, O = Grootersnet, OU = Webservices, CN = *.grootersnet.nl, emailAddress = system@grootersnet.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, ST = UT, L = leusden, O = Grootersnet, OU = Webservices, CN = *.grootersnet.nl, emailAddress = system@grootersnet.nl
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=NL/ST=UT/L=leusden/O=Grootersnet/OU=Webservices/CN=*.grootersnet.nl/emailAddress=system@grootersnet.nl
i:/C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.8 Testing Only/CN=WASD VMS Hypertext Services/emailAddress=Mark.Dani
el@wasd.vsm.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=NL/ST=UT/L=leusden/O=Grootersnet/OU=Webservices/CN=*.grootersnet.nl/emailAddress=system@grootersnet.nl
issuer=/C=AU/ST=SA/L=Adelaide/O=WASD HTTPd CA Cert/OU=OpenSSL 0.9.8 Testing Only/CN=WASD VMS Hypertext Services/emailAddress=Mark.Da
niel@wasd.vsm.com.au
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2132 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5C66A91090EB2A8444AEB1AA30E8F7FA8EE674442E2EC4042E54E7FD05197FFB
Session-ID-ctx:
Master-Key: 1463D1FBAA5D6B2A7B052B15187FD0E01B784B8BFC5F1C7B678FCC1074B87C2C9E6CD49A30BAAD496CE23CCC3DA0937E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
Start Time: 1496607150
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
openssl s_client -connect www.grootersnet.nl:443
/
<HTMLglt;
<HEADglt;
<TITLEglt;ERROR 501 Not Implemented</TITLEglt;
</HEADglt;
<BODY LINK="#0000cc" VLINK="#0000cc"glt;
<FONT SIZE=+1glt;
<Bglt;ERROR 501</Bglt; - The requested action is not implemented by this server.
</FONTglt;
<Pglt;Additional information:
<A HREF="/httpd/-/status1xx.html"glt;1<Iglt;xx</Iglt;</Aglt;,
<A HREF="/httpd/-/status2xx.html"glt;2<Iglt;xx</Iglt;</Aglt;,
<A HREF="/httpd/-/status3xx.html"glt;3<Iglt;xx</Iglt;</Aglt;,
<A HREF="/httpd/-/status4xx.html"glt;4<Iglt;xx</Iglt;</Aglt;,
<A HREF="/httpd/-/status5xx.html"glt;5<Iglt;xx</Iglt;</Aglt;,
<A HREF="/httpd/-/statushelp.html"glt;Help</Aglt;
<Pglt;<HR WIDTH=85% ALIGN=left SIZE=2 NOSHADEglt;
<ADDRESSglt;WASD/11.1.0 Server at www.grootersnet.nl Port 443</ADDRESSglt;
</BODYglt;
</HTMLglt;closed
but now the HP version fails:
$ opensslHP s_client -connect www.grootersnet.nl:443
CONNECTED(00000005)
539100522:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:S23_CLNT:579:
$
but where I would expect I could access the secured sites, but that still fails. if this has to do with logical SSL$ROOT, it makes sense:
$ sho log ssl*
(LNM$PROCESS_TABLE)
(LNM$JOB_82670140)
(WASD_TABLE)
(LNM$GROUP_000001)
(LNM$SYSTEM_TABLE)
"SSL$CERT" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$CERTS" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$COM" = "SSL$ROOT:[COM]"
"SSL$CONF" = "SSL$ROOT:[DEMOCA.CONF]"
"SSL$CRL" = "SSL$ROOT:[DEMOCA.CRL]"
"SSL$EXAMPLES" = "SYS$COMMON:[SYSHLP.EXAMPLES.SSL]"
"SSL$EXE" = "SSL$ROOT:[Alpha_EXE]"
"SSL$INCLUDE" = "SSL$ROOT:[INCLUDE]"
"SSL$KEY" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$KEYS" = "SSL$ROOT:[DEMOCA.CERTS]"
"SSL$PRIVATE" = "SSL$ROOT:[DEMOCA.PRIVATE]"
"SSL$ROOT" = "SYS$SYSDEVICE:[VMS$COMMON.SSL.]"
(LNM$SYSCLUSTER_TABLE)
(DECW$LOGICAL_NAMES)
$
Restart of the server makes no difference….Maybe I need to change a few things here.