https://openssl.org/news/changelog.html
Copyright © 1998-2019 Mark G. Daniel
This program, comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or any later version.
http://www.gnu.org/licenses/gpl.txt
OpenSSL
Copyright © 1998-2019 The OpenSSL Project
Copyright © 1995-1998 Eric Young
OpenSSL License
This directory contains the basics of an OpenSSL v1.1.n environment for WASD; this documentation, object modules and libraries that allow the building of an SSL-enabled WASD server, along with an OPENSSL application executable (useful tool for site testing amongst many others). Those familiar with the WASD OpenSSL package for v1.0.n and earlier will notice the absence of the certificate management environment present in those environments. A lot has changed over the twenty years WASD was first SSL-enabled, especially the usefulness of home-spun certification environments and self-signed certificates. See Let's Encrypt. There are many online guides to certificate generation and management using OpenSSL. Here's a start ... https://www.feistyduck.com/books/openssl-cookbook/
WASD documentation on SSL/TLS features is 4 - Transport Layer Security (Secure Sockets Layer) from WASD VMS Web Services - Features and Facilities document (from local site).
OpenSSL.org documentation wiki at
https://wiki.openssl.org/
Let's Encrypt
Have (or want) a TLS/SSL secured site? Using self-signed or commercial server certificate(s)?
Let's Encrypt makes it possible to obtain and maintain browser-trusted certificates, simply, automatically and at no cost.
See WASD Certificate Management Environment (wCME) on the WASD download page at:
https://wasd.vsm.com.au/wasd/
Forward secrecy, sometimes known as perfect forward secrecy (PFS), is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
https://en.wikipedia.org/wiki/Forward_secrecy
OpenSSL supports forward secrecy using Diffie-Hellman key exchange with elliptic curve cryptography and this relies on generating emphemeral keys based on unique, safe prime numbers. These are expensive to generate and so this is done infrequently, often during software build or installation. In the case of WASD, to maximise flexibility, these numbers are stored in external PEM-format files, by default located in the WASD_ROOT:[LOCAL] directory. These files are only briefly accessed during server startup SSL initialisation and the content later used during network connection SSL negotiation to generate the required ephemeral keys. Each file contains one prime for a given key size, 512, 1024, etc., generated using the OpenSSL dhparam utility.
Executing the procedure
$ @CREATE_EPHEMERAL_DH_PARAMwill generate files containing 512, 1024 and 2048 bit primes (this can take considerable time), and optionally copy those files to the WASD_ROOT:[LOCAL] directory. This [.WASD] directory contains files that could be used by copying to WASD_ROOT:[LOCAL] but unique, locally generated primes are preferable.
NOTE: Ephemeral keys form part of PFS, the others being
selection and ordering of server ciphers, and ensuring the server determines
the cipher used (+OP_CIPHER_SERVER_PREFERENCE).
OPENSSL.EXE
The OPENSSL application is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. Refer to the OpenSSL Man page for descriptions of the various commands and their syntax.
https://www.openssl.org/docs/manmaster/man1/openssl.html
https://wiki.openssl.org/index.php/Command_Line_Utilities
A simple addition to SYLOGIN.COM or LOGIN.COM for WASD-specific OpenSSL kits to assign the OPENSSL verb is:
$ @WASD_ROOT:[EXAMPLE]WASDVERBS.COM SSL
The executable should be built along with the server SSL executable but should it need (re)building (requires UNZIP) simply set default to this directory and
$ @MAKEAPPS