Manualshelf

OpenSSL A.00.09.08w.001, A.00.09.08w.002, and A.00.09.08w.003 Release Notes (5900-2311, May 2012)

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
11121314151617181920
Creating and viewing RSA, DSA, and DH public keys
Encrypting or decrypting a file using a public key or private key, respectively
Creating X.509 certificates, certificate requests, and Certificate Revocation Lists (CRL)
Managing the Certificate Authority (CA)
Strong random number generator for HP-UX 11i V1
OpenSSL A.00.09.07m requires a strong random number generator to provide secure and non
reproducible keys and certificates.
OpenSSL A.00.09.07m looks for the random number generator in the following order:
1. /dev/urandom
2. /dev/random
3. /opt/openssl/prngd/prngd
If none of these random number generators are available on the system, OpenSSL returns an error
while executing cryptographic functions. To prevent this situation, OpenSSL for HP-UX 11i V1
includes the /opt/openssl/prngd/prngd random number generator. The prngd server reads
HP-UX commands from the prngd.conf file, computes random numbers based on certain
parameters, and writes the computed random numbers to an HP-UX socket located in the /var/
run/egd-pool directory. OpenSSL functions can connect to and read random numbers from this
socket. The HP-UX 11i V2 and HP-UX 11i V3 operating systems contain /dev/random by default;
therefore, it does not require /opt/openssl/prngd/prngd. Random number generation using
/dev/urandom or /dev/random is faster than using /opt/openssl/prngd/prngd. HP-UX
11i V1 users can download /dev/random from the following location: http://
www.software.hp.com
Automatically generated self-signed host certificate
An SSL-enabled server must be identified by a host certificate. A certificate also identifies the
network host, the name and ID of the Certificate Authority (CA), and expiry date of the certificate.
Before you can deploy an SSL-enabled server for production, it must acquire a certificate signed
by a legitimate CA. However, for testing purposes the certificate can be self-signed, that is, signed
by the application generating the certificate. Setting up a certificate hierarchy can be
time-consuming. If a self-signed certificate is available, you can direct your SSL server to this
certificate during testing. OpenSSL automatically generates a self-signed host certificate and private
key. The host certificate is stored as /opt/openssl/certs/host.pem and the private key of
the host certificate is saved as /opt/openssl/private/hostkey.pem. The subject name of
the certificate is as follows:
C=US, ST=CA, L=City, O=Company,
CN=localhost/emailAddress=www@localhost
You can also generate a self-signed host certificate using the following command:
$ openssl req -new -x509 -out /opt/openssl/certs/host.pem
-keyout /opt/openssl/private/hostkey.pem -nodes
-subj /C=US/ST=CA/L=City/O=Company/CN=localhost/emailAddress=www@localhost
Defects fixed in OpenSSL version A.00.09.07m
There are several clean-up related changes, some stringent error checking, and general bug fixes
between OpenSSL Open Source versions 0.9.7l and 0.9.7m. For more information on the fixes,
see The OpenSSL Changelog.
Defects fixed in OpenSSL version A.00.09.08w
This version includes several changes and fixes. For more information on the fixes, see The OpenSSL
Changelog.
Defects fixed in OpenSSL version A.00.09.07m 17