HP SSL for OpenVMS Version 1.1-B Installation Guide and Release Notes May 2004 This guide contains hardware and software prerequisites, installation instructions, postinstallation tasks, instructions for building your application, the SSL directory structure, and release notes for HP SSL Version 1.1-B for OpenVMS. For more information about HP SSL, see the HP Open Source Security for OpenVMS, Volume 2: HP SSL for OpenVMS, available from the OpenVMS documentation website at http://h71000.www7.hp.com/doc/os732_index.html For the latest release notes and SSL kits, see the HP SSL website at http://h71000.www7.hp.com/openvms/products/ssl/ Installation Requirements and Prerequisites ------------------------------------------- The following sections list hardware and disk space requirements, and software prerequisites. Hardware Prerequisites ------------------------------------------- HP SSL is available on both the Alpha and VAX platforms. Disk Space Requirements ------------------------------------------- The HP SSL for OpenVMS kit requires approximately 45,000 blocks of working disk space to install. Once installed, the software occupies approximately 40,000 blocks of disk space. Software Prerequisites ------------------------------------------- HP SSL for OpenVMS requires the following software: OpenVMS Alpha Version 7.2-2 or higher or OpenVMS VAX Version 7.3 or higher HP TCP/IP Services for OpenVMS Version 5.4 or higher (for Alpha) HP TCP/IP Services for OpenVMS Version 5.3 or higher (for VAX) HP SSL for OpenVMS has been tested and verified using HP TCP/IP Services for OpenVMS. There are no known problems running HP SSL for OpenVMS with other TCP/IP network products. This includes the following TCP/IP network products from Process Software Corporation, but HP has not formally tested and verified these other products: TCPware Version 5.5 MultiNet Version 4.3 Account Quotas and System Parameters ------------------------------------------- There are no specific requirements for account quotas and system parameters for installing or using HP SSL for OpenVMS. New Features in HP SSL V1.1-B for OpenVMS ------------------------------------------- HP SSL Version 1.1-B for OpenVMS, based on OpenSSL 0.9.6g, is included in OpenVMS Version 7.3-2. o A port of the OpenSSL 0.9.6g baselevel, which includes fixes to security vulnerabilities reported on March 17, 2004, September 30, 2003, March 17 and 19, 2003, and February 19, 2003 at http://www.openssl.org/news/ o Certificate Revocation List (CRL) support in the Certificate Tool o A DES encryption image that allows you to enable uuencoding and uudecoding o Three new CRYPTO APIs -- BN_pseudo_rand_range, ERR_load_COMP_strings, and X509_STORE_CTX_set_verify_cb o Two new SSL APIs -- SSL_get_rfd and SSL_get_wfd o One OpenSSL API has been removed -- OpenSSLDie OpenSSL Documentation from The Open Group ------------------------------------------- Documentation about the OpenSSL project and The Open Group is available at the following URL: http://www.openssl.org The OpenSSL documentation was written for UNIX users. When reading UNIX-style OpenSSL documentation, note the following differences between UNIX and OpenVMS: " File specification format The OpenSSL documentation shows example file specifications in UNIX format. For example, the UNIX file specification /dka100/foo/bar/file.dat is equivalent to DKA100:[FOO.BAR]FILE.DAT on OpenVMS. " Directory format Directories (pathnames) that begin with a period (.) on UNIX begin with an underscore (_) on OpenVMS. In addition, on UNIX, the tilde (~) is an abbreviation for SYS$LOGIN. For example, the UNIX pathname ~/.openssl/profile/prefs.js is equivalent to the OpenVMS directory [._OPENSSL.PROFILE]PREFS.JS. Installing HP SSL for OpenVMS ------------------------------------------- HP SSL for OpenVMS is shipped with OpenVMS Version 7.3-2 on the layered products CD-ROM. You must install HP SSL before you can use it. Use the following procedure to install HP SSL for OpenVMS. To install the SSL for OpenVMS kit, enter the following command: $ PRODUCT INSTALL SSL/SOURCE=ddcu:[dir] By default, SSL for OpenVMS is installed into SYS$SYSDEVICE:[ VMS$COMMON]. You can specify a different installation location by using the PRODUCT INSTALL command line qualifier /DESTINATION. For a description of the features you can request with the PRODUCT INSTALL command when starting an installation, such as running the IVP, purging files, and configuring the installation, refer to the POLYCENTER Software Installation Utility User Guide. As the installation procedure progresses, the system displays information similar to the following: $ PRODUCT INSTALL SSL/SOURCE=DKA300:[KITS] The following product has been selected: CPQ AXPVMS SSL V1.1-B Layered Product Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. CPQ AXPVMS SSL V1.1-B: SSL for OpenVMS V1.1-B (Based on OpenSSL 0.9.6G). (c) Copyright 2003 Hewlett-Packard Development Company, L.P. Do you want the defaults for all options? [YES] Do you want to review the options? [NO] Execution phase starting ... The following product will be installed to destination: CPQ AXPVMS SSL V1.1-B DISK$DWLLNG_A_V73:[VMS$COMMON.] The following product will be removed from destination: CPQ AXPVMS SSL V1.1-A DISK$DWLLNG_A_V73:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: CPQ AXPVMS SSL V1.1-B Layered Product The following product has been removed: CPQ AXPVMS SSL V1.1-B Layered Product %PCSI-I-IVPEXECUTE, executing test procedure for CPQ AXPVMS SSL V1.1-B ... %PCSI-I-IVPSUCCESS, test procedure completed successfully CPQ AXPVMS SSL V1.1-B: SSL for OpenVMS V1.1-B (Based on OpenSSL 0.9.6G). Insert the following lines in SYS$MANAGER:SYSTARTUP_VMS.COM: @sys$startup:ssl$startup.com Insert the following lines in SYS$MANAGER:SYSHUTDWN.COM: @sys$startup:ssl$shutdown.com There are post installation activities that need to be performed. This includes things like defining logical names and running SSL$UTILS.COM to define some foreign symbols, and running the IVP if it was not done as part of the installation. Refer to the Release Notes for more information about activities that should be performed once the installation has finished. SSL has created the following directory structure in PCSI$DESTINATION, which defaults to SYS$SYSDEVICE:[VMS$COMMON]: [SSL] - Top-level SSL directory [SSL.ALPHA_EXE] - Contains the images for the Alpha platform. [SSL.COM] - Directory to hold the various command procedures. [SSL.DEMOCA] - Directory structure to demo SSL's CA features [SSL.DEMOCA.CERTS] - Directory to hold the certificates and keys [SSL.DEMOCA.CONF] - Contains the configuration files. [SSL.DEMOCA.CRL] - Contains revoked certificates and CRLs [SSL.DEMOCA.PRIVATE] - Directory for private keys and random data. [SSL.DOC] - OpenSSL Group provided documentation & information. [SSL.INCLUDE] - Contains the C Header (.H) files. [SSL.TEST] - Contains the files used during the IVP. Refer to SYS$HELP:SSL011.RELEASE_NOTES for more information. @SYS$STARTUP:SSL$STARTUP.COM should be run at system startup. $ Stopping and Restarting the Installation ------------------------------------------- Use the following procedure to stop and restart the installation: 1. To stop the procedure at any time, press Ctrl/Y. 2. Enter the DCL command PRODUCT REMOVE to reverse any changes to the system that occurred during the partial installation. This deletes all files created up to that point and causes the installation procedure to exit. 3. To restart the installation, go back to the beginning of the installation procedure. Postinstallation Tasks ------------------------------------------- After the installation is complete, perform the following steps: 1. If you are upgrading from a previous version of HP SSL to V1.1-B, compare the following template files with your existing .COM files, and take the appropriate action as follows: - Compare SSL$STARTUP.TEMPLATE to your existing SSL$STARTUP.COM file, and rename the template file to SSL$STARTUP.COM if you want to accept the changes. The new template file includes INSTALL commands to install the SSL shareable images. - Compare SSL$SHUTDOWN.TEMPLATE to your existing SSL$SHUTDOWN.COM file, and rename the template file to SSL$SHUTDOWN.COM if you want to accept the changes. The new template file includes INSTALL commands to remove the installed SSL shareable images - Compare SSL$EXAMPLES_SETUP.TEMPLATE to your existing SSL$EXAMPLES_SETUP.COM file, and rename the template file to SSL$EXAMPLES_SETUP.COM if you want to accept the changes. The new template file executes SSL$UTILS to define SSL DCL commands, and fixes some minor quote issues. 2. Add the following line to the system startup file, SYS$STARTUP:SYSTARTUP_VMS.COM, to set up the SSL symbols and logical names: $ @SYS$STARTUP:SSL$STARTUP 3. At the DCL command prompt, execute the command that you entered into the system startup file so that you can use SSL immediately: $ @SYS$STARTUP:SSL$STARTUP 4. Define the foreign commands that use the OpenSSL utility OPENSSL.EXE, such as openssl, ca, enc, req, and X509, by entering the following command: $ @SSL$COM:SSL$UTILS 5. Optionally, start the Certificate Tool by entering the following command: $ @SSL$COM:SSL$CERT_TOOL This menu-driven tool allows you to create and view certificates and certificate requests and to sign certifcate requests. For information about the Certificate Tool, see Chapter 3 of HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS. SSL Directory Structure ------------------------------------------- After the installation is complete, the SSL directory structure is as follows: [SSL] - Top-level directory created by default in SYS$SYSDEVICE:[VMS$COMMON]. [SSL.ALPHA_EXE] - Contains images for the Alpha platform. [SSL.COM] - Contains command procedures. [SSL.DEMOCA] - Contains demos for SSL CA features [SSL.DEMOCA.CERTS] - Contains certificates and keys. [SSL.DEMOCA.CONF] - Contains configuration files. [SSL.DEMOCA.CRL] - Contains revoked certificates and CRLs. [SSL.DEMOCA.PRIVATE] - Contains private keys and random data. [SSL.DOC] - OpenSSL Group provided documentation & information. [SSL.INCLUDE] - Contains C header (.H) files. [SSL.TEST] - Contains files used during the Installation Verification Procedure (IVP). In addition, SSL example programs are located in SYS$COMMON:[SYSHLP.EXAMPLES.SSL]. These example programs are also shown and discussed in Chapter 6 of HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS. Building an SSL Application ------------------------------------------- HP SSL for OpenVMS provides shareable images that contain 64-bit APIs and shareable images that contain 32-bit APIs. You can choose which APIs to use when you compile your application. The file names for these shareable images are as follows: SYS$SHARE:SSL$LIBSSL_SHR.EXE - 64-bit SSL APIs SYS$SHARE:SSL$LIBCRYPTO_SHR.EXE - 64-bit Crypto APIs SYS$SHARE:SSL$LIBSSL_SHR32.EXE - 32-bit SSL APIs SYS$SHARE:SSL$LIBCRYPTO_SHR32.EXE - 32-bit Crypto APIs When you compile your application using HP C, use the /POINTER_SIZE=64 qualifier to take advantage of the 64-bit APIs. The default value for the /POINTER_SIZE qualifier is 32. Linking your application is the same for both 64-bit or 32-bit APIs. The options file used contains either the 64-bit or 32-bit references to the appropriate shareable image. Building an Application Using 64-Bit APIs ------------------------------------------- To build (compile and link) a sample program using the 64-bit APIs, enter the following commands: $ CC/POINTER_SIZE=64/PREFIX=ALL SAMPLE.C $ LINK/MAP SAMPLE,LINKER_OPT/OPTIONS In these commands, LINKER_OPT.OPT is a simple text file that contains the following lines: SYS$SHARE:SSL$LIBSSL_SHR/SHARE SYS$SHARE:SSL$LIBCRYPTO_SHR/SHARE Building an Application Using 32-Bit APIs ------------------------------------------- To build (compile and link) a sample program using the 32-bit APIs, enter the following commands: $ CC/PREFIX=ALL SAMPLE.C $ LINK/MAP SAMPLE,LINKER_OPT/OPTIONS In these commands, LINKER_OPT.OPT is a simple text file that contains the following lines: SYS$SHARE:SSL$LIBSSL_SHR32/SHARE SYS$SHARE:SSL$LIBCRYPTO_SHR32/SHARE Release Notes ------------------------------------------- This section contains notes about Version 1.1-B of HP SSL for OpenVMS. Legal Caution ------------------------------------------- SSL data transport requires encryption. Many governments, including the United States, have restrictions on the import and export of cryptographic algorithms. Please ensure that your use of SSL is in compliance with all national and international laws that apply to you. Shareable Images Containing 64-Bit and 32-Bit APIs Provided ------------------------------------------- HP SSL for OpenVMS provides shareable images that contain 64-bit APIs and shareable images that contain 32-bit APIs. You can choose which APIs to use when you compile your application. Linking with HP SSL Shareable Images ------------------------------------------- If you have written an application that links against the OpenSSL object libraries, you must make a minor change to your code because HP SSL provides only shareable images. To link your application against the shareable images, use code similar to the following: $ LINK my_app.obj, VMS_SSL_OPTIONS/OPT where VMS_SSL_OPTIONS.OPT is a text file that contains the following lines: SYS$SHARE:SSL$LIBCRYPTO_SHR.EXE/SHARE SYS$SHARE:SSL$LIBSSL_SHR.EXE/SHARE Preserve Certificates, Keys, and Configuration Files When Upgrading from Field Test Kit ------------------------------------------- If you are upgrading from the field test kit (T1.0) to the HP SSL Version 1.1-B kit, you must save the certificates, keys, and configuration files in the SSL subdirectory. HP recommends that you back up these items to either a different disk and directory or to tape. When you have completed the Version 1.1-B installation, move the saved items back into the SSL directory structure. Then delete the backed up certificates, keys, and configuration files. Command Procedures and Configuration Files Provided as .TEMPLATE ------------------------------------------- The SYS$STARTUP:SSL$STARTUP.COM and SYS$STARTUP:SSL$SHUTDOWN.COM command procedures are named SYS$STARTUP:SSL$STARTUP.TEMPLATE and SYS$STARTUP:SSL$SHUTDOWN.TEMPLATE. This prevents PCSI from overwriting existing .COM files, and allows you to preserve any modifications you made to SSL$STARTUP.COM and SSL$SHUTDOWN.COM after you installed a previous kit. After you install the Version 1.1-B kit, compare the new .TEMPLATE files with your existing SSL$STARTUP.COM and SSL$SHUTDOWN.COM files and add any new information as required. If you have not modified your existing .COM files, rename the template files to SSL$STARTUP.COM or SSL$SHUTDOWN.COM. If you do not have a previous version of HP SSL installed, both the .TEMPLATE and .COM files are provided. No action is required on your part. Configuration files are provided in the same fashion - both .CNF and .CNF_TEMPLATE files are included in HP SSL. SSL APIs Not Backward Compatible ------------------------------------------- HP SSL for OpenVMS is based on open-source code provided by The Open Group. The OpenVMS code is based on the 0.9.6G baselevel of OpenSSL. Until The Open Group releases its Version 1.0 baselevel, The Open Group is not guaranteeing backward compatibility. This means that any OpenSSL API, data structure, header file, command, and the like might be changed in a future version of OpenSSL. As a result, HP cannot guarantee the backward compatibility of HP SSL for OpenVMS until the release of HP SSL for OpenVMS that is based on OpenSSL 1.0. The shareable images use EQUAL 1,0 which means that applications will have to relink when new shareable images are distributed. Certificate Tool Cannot Have Simultaneous Users ------------------------------------------- Only one user/process should use the Certificate Tool at a time. The tool does not have a locking mechanism to prevent unsynchronized accesses of the database and serial file. Protect Certificates and Keys ------------------------------------------- When you create certificates and keys with the Certificate Tool, take care to ensure that the keys are properly protected to allow only the owner of the keys to use them. A private key should be treated like a password. You can use OpenVMS file protections to protect the key file, or you can use ACLs to protect individual key files within a common directory. Directory Structure Changed ------------------------------------------- HP SSL V1.0 and higher for OpenVMS has a different directory structure than the HP SSL field test kit (T1.0). The new directory structure is more consistent with the structure of the OpenSSL kit from openssl.org. See Section 1.5 for the new directory structure. If you previously installed the T1.0 kit, be sure to copy any certificates, keys, and configuration files from the old directory structure to the new directory structure. SSL$EXAMPLES Logical Name ------------------------------------------- In SSL V1.1 and higher, a new logical, SSL$EXAMPLES, was added to the SSL$STARTUP.TEMPLATE command procedure. This logical points to the directory SYS$COMMON:[SYSHLP.EXAMPLES.SSL]. DES_CBC_CKSUM Return Value Changed to Match Kerberos ------------------------------------------- The return value of the DES_CBC_CKSUM API has changed to match its intended compatibility with MIT Kerberos. The DES_CBC_CKSUM routine returns the upper longword of a quadword. The quadword itself was calculated correctly, and has not been changed. Prior to the change (in Compaq SSL V1.0-B and earlier), the API returned the value in the wrong order. For example: Return value from des_cbc_cksum = 0xaedc29b6 In SSL Version 1.1 and higher, the return value is as follows: Return value from des_cbc_cksum = 0xb629dcae This change has been accepted by the OpenSSL.org, and will be available in the 0.9.7A release of OpenSSL. DES Image Included in SSL Version 1.1 and higher ------------------------------------------- In SSL Version 1.1 and higher, an additional image is being made available, called DES.EXE, which is located in the SSL$EXE directory. Create a foreign symbol to access this new image, as follows: $ DES :== $SSL$EXE:DES.EXE The new DES image provides some functionality that is not present in the DES subcommand in the OPENSSL command line utility, most notably the ability to enable uuencoding and uudecoding. Following is the help text for the DES command and the DES subcommand in the OPENSSL command line utility, which illustrates the differences between the commands. $ DES -? '?' unknown flag des [input-file [output-file]] options: -v : des(1) version number -e : encrypt using SunOS compatible user key to DES key conversion. -E : encrypt -d : decrypt using SunOS compatible user key to DES key conversion. -D : decrypt -c[ckname] : generate a cbc_cksum using SunOS compatible user key to DES key conversion and output to ckname (stdout default, stderr if data being output on stdout). The checksum is generated before encryption and after decryption if used in conjunction with -[eEdD]. -C[ckname] : generate a cbc_cksum as for -c but compatible with -[ED]. -k key : use key 'key' -h : the key that is entered will be a hexadecimal number that is used directly as the des key -u[uuname] : input file is uudecoded if -[dD] or output uuencoded data if -[eE] (uuname is the filename to put in the uuencode header). -b : encrypt using DES in ecb encryption mode, the default is cbc mode. -3 : encrypt using triple DES encryption. This uses 2 keys generated from the input key. If the input key is less than 8 characters long, this is equivalent to normal encryption. Default is triple cbc, -b makes it triple ecb. $ OPENSSL DES -? unknown option '-?' options are -in input file -out output file -pass pass phrase source -e encrypt -d decrypt -a/-base64 base64 encode/decode, depending on encryption flag -k key is the next argument -kfile key is the first line of the file argument -K/-iv key/iv in hex is the next argument -[pP] print the iv/key (then exit if -P) -bufsize buffer size -engine e use engine e, possibly a hardware device. Cipher Types des : 56 bit key DES encryption des_ede : 112 bit key ede DES encryption des_ede3: 168 bit key ede DES encryption rc2 : 128 bit key RC2 encryption bf : 128 bit key Blowfish encryption -rc4 : 128 bit key RC4 encryption -des-ecb -des-cbc -des-cfb -des-ofb -des (des-cbc) -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -desx -none -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-ofb -des3 (des-ede3-cbc) Environment Variables ------------------------------------------- OpenSSL environmental variables have two formats, as follows: $var ${var} In order for these variables to be parsed properly and not be confused with logical names, HP SSL only accepts the ${var} format. IDEA and RC5 Symmetric Cipher Algorithms Not Supported ------------------------------------------- The IDEA and RC5 symmetric cipher algorithms are not available in HP SSL for OpenVMS. Both of these algorithms are under copyright protection, and HP does not have the right to use these algorithms. If you want to use either of these algorithms, HP recommends that you contact RSA Security at the following URL for the licensing conditions of the RC5 algorithm: http://www.rsasecurity.com If you want to use the IDEA algorithm, contact Ascom for their license requirements at the following URL: http://www.ascom.ch Once you have obtained the proper licenses, download the source code from the following URL: http://www.openssl.org Build the product using the command procedure named MAKEVMS.COM provided in the download. APIs RAND_egd, RAND_egd_bytes, and RAND_query_egd_bytes Not Supported The RAND_egd( ), RAND_egd_bytes( ), and RAND_query_egd_bytes( ) APIs are not currently available on OpenVMS. To obtain a secure random seed on OpenVMS, use the RAND_poll( ) API. Documentation from the OpenSSL Website ------------------------------------------- The documentation on the OpenSSL website is currently under development. It is likely that the API and command- line documentation shipped with this kit will differ from the documentation on the OpenSSL website at some point. If such a situation arises, you should consider the API documentation on the OpenSSL website to have precedence over the documentation included in this kit. Use Certificate Tool for Certificate and Key Creation ------------------------------------------- HP recommends the use of the Certificate Tool (SSL$COM:SSL$CERT_TOOL.COM) when creating certificates and keys to test your SSL application. The Certificate Tool provides both ease of use and consistency when creating your certificates and keys to test and demonstrate your SSL client and server application. nsCertType No Longer Written in Certificates ------------------------------------------- In the SSL T1.0 field test kit, the Certificate Tool incorrectly set the nsCertType field with both server and client values. The field should have been set with one value, either server or client, but not both. In Version 1.1 and higher, this field is not set in the Certificate Tool. Your application is still able to pass certificates as either server or client certificates, but object signing cannot be completed with a null nsCertType field. If object signing is required in your application, see the following paragraphs about setting values in the nsCertType field. HP recommends that you delete the nsCertType field from the existing SSL$CONF:SSL$CA.CNF file by editing the file and deleting the line that begins with the following: nsCertType = If you have an application that requires the nsCertType field, edit the file SSL$CONF:SSL$CA.CNF and enter the value that your application requires. If your application needs a certificate with the client nsCertType field value, enter the following: nsCertType = client Valid values for the nsCertType field are server, client, email, objsign, sslCA, emailCA, and objCA. Extra Certificate Files -- *.PEM ------------------------------------------- When you sign a certificate request using either the Certificate Tool or the OpenSSL utility, you may notice that an extra certificate is produced with a name similar to SSL$CRT01.PEM or 01.PEM. This certificate is the same as the certificate that you produced with the name you chose. These extra files are the result of the OpenSSL demonstration Certificate Authority (CA) capability, and are used as a CA accounting function. These extra files are kept by the CA and can be used to generate Certificate Revocation Lists (CRLs) if the certificate becomes compromised. INDEX.TXT and SERIAL.TXT Location ------------------------------------------- In the COMPAQ SSL T1.0 field test kit, INDEX.TXT and SERIAL.TXT were located in SSL$ROOT:[DEMOCA.PRIVATE]. In HP SSL Version 1.0 and higher, these files are located in SSL$ROOT:[DEMOCA]. The location of INDEX.TXT and SERIAL.TXT is controlled by the OPENSSL-VMS.CNF file, and consumed by the OpenSSL utility and the Certificate Tool as part of the OpenSSL demonstration Certificate Authority database. Known Problem: BIND Error in TCP/IP Application ------------------------------------------- If you are running a TCP/IP-based SSL client/server application, the server occasionally fails to start up, and displays the following error message: bind: address already in use To avoid this error, use setsockopt( ) with SO_REUSEADDR as follows: int on = 1; ret = setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof(on)); Known Problem: SSL$EXAMPLES_SETUP.TEMPLATE File Missing Trailing Space ------------------------------------------- In Version 1.1-A and higher, the template command procedure SSL$EXAMPLES_SETUP.TEMPLATE includes several changes, including commands to execute the necessary command procedures that define logicals and symbols, the removal of extraneous quotes, the addition of necessary quotes, and fixes to commands that spanned move than one line. However, there is one known problem in the SSL$EXAMPLES_SETUP.TEMPLATE file. To correct the problem, add a space to the end of the following line, inside the quotes. (If you do not add a space, the qualifiers are concatenated and OpenSSL will not recognize the qualifier.) Change the following line in SYS$STARTUP:SSL$EXAMPLES_SETUP.TEMPLATE: $! $ write s_com "$ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf" - To the following line: $! $ write s_com "$ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf " - Known Problem: HP C++ V5.5 CANTCOMPLETE Warnings ------------------------------------------- When you compile programs that contain OpenSSL APIs, HP C++ Version 5.5 issues warnings about incomplete classes. This error occurs when you use a structure definition before it has been defined. You can resolve these warnings in one of two ways: - Upgrade to C++ Version 6.0. - Supply the necessary prototype before using the structure. The following is an example of this error: $ cxx/list/PREFIX=(ALL_ENTRIES) serv.c struct CRYPTO_dynlock_value *data; ........^ %CXX-W-CANTCOMPLETE, In this declaration, the incomplete class "unnamed struct::CRYPTO_dynlock_value" cannot be completed because it is declared within a class or a function prototype. at line number 161 in file CRYPTO$RES:[OSSL.BUILD_0049_ALPHA_32.INCLUDE.OPENSSL]CRYPTO.H;3 -- end of file --