More About WASD OpenSSL

OpenSSL v1.1.1c, 28th May 2019

https://openssl.org/news/changelog.html

Copyright © 1998-2019 Mark G. Daniel
This program, comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or any later version.
http://www.gnu.org/licenses/gpl.txt

OpenSSL
Copyright © 1998-2019 The OpenSSL Project
Copyright © 1995-1998 Eric Young
OpenSSL License

Contents


This directory contains the basics of an OpenSSL v1.1.n environment for WASD; this documentation, object modules and libraries that allow the building of an SSL-enabled WASD server, along with an OPENSSL application executable (useful tool for site testing amongst many others). Those familiar with the WASD OpenSSL package for v1.0.n and earlier will notice the absence of the certificate management environment present in those environments. A lot has changed over the twenty years WASD was first SSL-enabled, especially the usefulness of home-spun certification environments and self-signed certificates. See Let's Encrypt. There are many online guides to certificate generation and management using OpenSSL.  Here's a start ... https://www.feistyduck.com/books/openssl-cookbook/

WASD documentation on SSL/TLS features is  4 - Transport Layer Security (Secure Sockets Layer)  from  WASD VMS Web Services - Features and Facilities  document (from local site).

OpenSSL.org documentation wiki at  https://wiki.openssl.org/

Let's Encrypt

Have (or want) a TLS/SSL secured site?  Using self-signed or commercial server certificate(s)?

Let's Encrypt makes it possible to obtain and maintain browser-trusted certificates, simply, automatically and at no cost.

See WASD Certificate Management Environment (wCME) on the WASD download page at:

https://wasd.vsm.com.au/wasd/

Ephemeral DH Param

Forward secrecy, sometimes known as perfect forward secrecy (PFS), is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.

https://en.wikipedia.org/wiki/Forward_secrecy

OpenSSL supports forward secrecy using Diffie-Hellman key exchange with elliptic curve cryptography and this relies on generating emphemeral keys based on unique, safe prime numbers. These are expensive to generate and so this is done infrequently, often during software build or installation. In the case of WASD, to maximise flexibility, these numbers are stored in external PEM-format files, by default located in the WASD_ROOT:[LOCAL] directory. These files are only briefly accessed during server startup SSL initialisation and the content later used during network connection SSL negotiation to generate the required ephemeral keys. Each file contains one prime for a given key size, 512, 1024, etc., generated using the OpenSSL dhparam utility.

Executing the procedure

$ @CREATE_EPHEMERAL_DH_PARAM
will generate files containing 512, 1024 and 2048 bit primes (this can take considerable time), and optionally copy those files to the WASD_ROOT:[LOCAL] directory. This [.WASD] directory contains files that could be used by copying to WASD_ROOT:[LOCAL] but unique, locally generated primes are preferable.

NOTE: Ephemeral keys form part of PFS, the others being selection and ordering of server ciphers, and ensuring the server determines the cipher used (+OP_CIPHER_SERVER_PREFERENCE).

OPENSSL.EXE

The OPENSSL application is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. Refer to the OpenSSL Man page for descriptions of the various commands and their syntax.

https://www.openssl.org/docs/manmaster/man1/openssl.html
https://wiki.openssl.org/index.php/Command_Line_Utilities

A simple addition to SYLOGIN.COM or LOGIN.COM for WASD-specific OpenSSL kits to assign the OPENSSL verb is:

$ @WASD_ROOT:[EXAMPLE]WASDVERBS.COM SSL

The executable should be built along with the server SSL executable but should it need (re)building (requires UNZIP) simply set default to this directory and

$ @MAKEAPPS