State of EBCDIC support in OpenSSL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

State of EBCDIC support in OpenSSL

Stephan Mühlstrasser
What is the current state of EBCDIC support in OpenSSL?

While there are CHARSET_EBCDIC #ifdefs all over the source, a build on
z/OS Unix System Services is possible and creation of signatures
apparently works, there are several problems we ran into:

- the "openssl s_client" command cannot be used to test connections to
HTTPS servers
- "openssl x509" cannot print certificates because it fails to parse the
timestamps in the certificates
- certificate validation fails also because timestamps are not parsed
correctly
- a segmentation fault occurs in a test case when running "make test"

Is the OpenSSL team interested in EBCDIC-related bug reports and
potentially patches, or is the EBCDIC port essentially dead?

Stephan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: State of EBCDIC support in OpenSSL

Tim Hudson
On 29/04/2014 5:38 PM, Stephan Mühlstrasser wrote:
> ... or is the EBCDIC port essentially dead?

Bug reports on EBCDIC with patches are definitely interesting as there
is an active community of OpenSSL z/OS users - at the very least the
other users will benefit from any work you have already done.

For the broader context I think you'll find the issue for handling such
platforms will usually be the typical one of regular platform access.
Checking, adjusting, and confirming patches which are platform specific
that are non-trivial basically requires access to the platform.

One thing to consider is if you (or anyone else) is able to provide
permanent (or semi-permanent) access (via ssh) to a z/OS platform with
USS installed that places the user into a standard shell environment
with the compilers accessible.

Thanks,
Tim.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: State of EBCDIC support in OpenSSL

Stephan Mühlstrasser
Am 29.04.14 10:28, schrieb Tim Hudson:
> Bug reports on EBCDIC with patches are definitely interesting as there
> is an active community of OpenSSL z/OS users - at the very least the
> other users will benefit from any work you have already done.

I can provide bug reports, but at the moment I cannot promise that I can
come up with corresponding patches as well.

I did some research in the OpenSSL mailing list archives, and from that
I have the impression that there's little activity from OpenSSL z/OS
users over the last few years. Are there other places where you see the
"active community of OpenSSL z/OS users"?

> For the broader context I think you'll find the issue for handling such
> platforms will usually be the typical one of regular platform access.
> Checking, adjusting, and confirming patches which are platform specific
> that are non-trivial basically requires access to the platform.
>
> One thing to consider is if you (or anyone else) is able to provide
> permanent (or semi-permanent) access (via ssh) to a z/OS platform with
> USS installed that places the user into a standard shell environment
> with the compilers accessible.

I'm sorry, but I can't help with platform access, as we only have a z/OS
development system for porting our software, not even a real zSeries
machine.

I would expect that IBM itself should be interested in a working OpenSSL
port for zSeries. We have a very old version of OpenSSL on our system
that we downloaded from the IBM website in the past. This version is for
example able to print out certificates correctly.

Today the IBM website about open source software available for z/OS
point to openssl.org for getting OpenSSL:

http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html

"The free unsupported version of OpenSSL previously offered here is no
longer available. Instead, we refer you to the functionally equivalent
version available from the official OpenSSL project website."

If someone from IBM is reading this, please consider the request by Tim
for access to a z/OS platform.

Stephan


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: State of EBCDIC support in OpenSSL

mclellan, dave
We are active and continuing users of the z/OS port of OpenSSL, have just rebuilt 1.0.1c without heartbeats on a maintenance stream and are upgrading to 1.0.g on a future release stream. Just as example of staying current on z/OS.

We use z/OS on the server side only, and generates server certs from a Windows machine, and transfer the certs to USS using binary FTP.  The server does not require a client cert since we couldn't get that working and have never had time to look into it. We don't use the openssl CLI on z/OS.

We have even considered the port for Fujitsu BS2000 but don't have a business priority for it.  

All this to say that we sure hope that z/OS and OpenSSL continue to be real, and I'm glad to have read Tim's response.


+-+-+-+-+-+-+-+-+-
Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
+-+-+-+-+-+-+-+-+-


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stephan Mühlstrasser
Sent: Tuesday, April 29, 2014 4:48 AM
To: Tim Hudson; [hidden email]
Subject: Re: State of EBCDIC support in OpenSSL

Am 29.04.14 10:28, schrieb Tim Hudson:
> Bug reports on EBCDIC with patches are definitely interesting as there
> is an active community of OpenSSL z/OS users - at the very least the
> other users will benefit from any work you have already done.

I can provide bug reports, but at the moment I cannot promise that I can come up with corresponding patches as well.

I did some research in the OpenSSL mailing list archives, and from that I have the impression that there's little activity from OpenSSL z/OS users over the last few years. Are there other places where you see the "active community of OpenSSL z/OS users"?

> For the broader context I think you'll find the issue for handling
> such platforms will usually be the typical one of regular platform access.
> Checking, adjusting, and confirming patches which are platform
> specific that are non-trivial basically requires access to the platform.
>
> One thing to consider is if you (or anyone else) is able to provide
> permanent (or semi-permanent) access (via ssh) to a z/OS platform with
> USS installed that places the user into a standard shell environment
> with the compilers accessible.

I'm sorry, but I can't help with platform access, as we only have a z/OS development system for porting our software, not even a real zSeries machine.

I would expect that IBM itself should be interested in a working OpenSSL port for zSeries. We have a very old version of OpenSSL on our system that we downloaded from the IBM website in the past. This version is for example able to print out certificates correctly.

Today the IBM website about open source software available for z/OS point to openssl.org for getting OpenSSL:

http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html

"The free unsupported version of OpenSSL previously offered here is no longer available. Instead, we refer you to the functionally equivalent version available from the official OpenSSL project website."

If someone from IBM is reading this, please consider the request by Tim for access to a z/OS platform.

Stephan


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: State of EBCDIC support in OpenSSL

Richard Könning
Hello,
in the request tracker under item #843 there are patches for 0.9.7c
(created and tested on Fujitsu BS2000) and 0.9.7j (updated by Jeremy
Grieshop for z/OS).
Because i saw no actions to incorporate the patches into the official
sources in the last ten years i saved afterwards the work to commit our
patches for newer OpenSSL versions.
If there is interest i can provide patches for lines 0.9.8, 1.0.0 and
1.0.1 too; it will probably take some days because i have first to look
at the patches and maybe remove some non-EBCDIC related parts.
Best regards,
Richard

Am 29.04.2014 13:52, schrieb mclellan, dave:

> We are active and continuing users of the z/OS port of OpenSSL, have just rebuilt 1.0.1c without heartbeats on a maintenance stream and are upgrading to 1.0.g on a future release stream. Just as example of staying current on z/OS.
>
> We use z/OS on the server side only, and generates server certs from a Windows machine, and transfer the certs to USS using binary FTP.  The server does not require a client cert since we couldn't get that working and have never had time to look into it. We don't use the openssl CLI on z/OS.
>
> We have even considered the port for Fujitsu BS2000 but don't have a business priority for it.
>
> All this to say that we sure hope that z/OS and OpenSSL continue to be real, and I'm glad to have read Tim's response.
>
>
> +-+-+-+-+-+-+-+-+-
> Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
> Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
> Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
> +-+-+-+-+-+-+-+-+-
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Stephan Mühlstrasser
> Sent: Tuesday, April 29, 2014 4:48 AM
> To: Tim Hudson; [hidden email]
> Subject: Re: State of EBCDIC support in OpenSSL
>
> Am 29.04.14 10:28, schrieb Tim Hudson:
>> Bug reports on EBCDIC with patches are definitely interesting as there
>> is an active community of OpenSSL z/OS users - at the very least the
>> other users will benefit from any work you have already done.
>
> I can provide bug reports, but at the moment I cannot promise that I can come up with corresponding patches as well.
>
> I did some research in the OpenSSL mailing list archives, and from that I have the impression that there's little activity from OpenSSL z/OS users over the last few years. Are there other places where you see the "active community of OpenSSL z/OS users"?
>
>> For the broader context I think you'll find the issue for handling
>> such platforms will usually be the typical one of regular platform access.
>> Checking, adjusting, and confirming patches which are platform
>> specific that are non-trivial basically requires access to the platform.
>>
>> One thing to consider is if you (or anyone else) is able to provide
>> permanent (or semi-permanent) access (via ssh) to a z/OS platform with
>> USS installed that places the user into a standard shell environment
>> with the compilers accessible.
>
> I'm sorry, but I can't help with platform access, as we only have a z/OS development system for porting our software, not even a real zSeries machine.
>
> I would expect that IBM itself should be interested in a working OpenSSL port for zSeries. We have a very old version of OpenSSL on our system that we downloaded from the IBM website in the past. This version is for example able to print out certificates correctly.
>
> Today the IBM website about open source software available for z/OS point to openssl.org for getting OpenSSL:
>
> http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html
>
> "The free unsupported version of OpenSSL previously offered here is no longer available. Instead, we refer you to the functionally equivalent version available from the official OpenSSL project website."
>
> If someone from IBM is reading this, please consider the request by Tim for access to a z/OS platform.
>
> Stephan
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: State of EBCDIC support in OpenSSL

Christian Koenning
Thanks!
Christian

On 02/05/2014 16:43, "Richard Könning" <[hidden email]>
wrote:

>Hello,
>in the request tracker under item #843 there are patches for 0.9.7c
>(created and tested on Fujitsu BS2000) and 0.9.7j (updated by Jeremy
>Grieshop for z/OS).
>Because i saw no actions to incorporate the patches into the official
>sources in the last ten years i saved afterwards the work to commit our
>patches for newer OpenSSL versions.
>If there is interest i can provide patches for lines 0.9.8, 1.0.0 and
>1.0.1 too; it will probably take some days because i have first to look
>at the patches and maybe remove some non-EBCDIC related parts.
>Best regards,
>Richard
>
>Am 29.04.2014 13:52, schrieb mclellan, dave:
>> We are active and continuing users of the z/OS port of OpenSSL, have
>>just rebuilt 1.0.1c without heartbeats on a maintenance stream and are
>>upgrading to 1.0.g on a future release stream. Just as example of
>>staying current on z/OS.
>>
>> We use z/OS on the server side only, and generates server certs from a
>>Windows machine, and transfer the certs to USS using binary FTP.  The
>>server does not require a client cert since we couldn't get that working
>>and have never had time to look into it. We don't use the openssl CLI on
>>z/OS.
>>
>> We have even considered the port for Fujitsu BS2000 but don't have a
>>business priority for it.
>>
>> All this to say that we sure hope that z/OS and OpenSSL continue to be
>>real, and I'm glad to have read Tim's response.
>>
>>
>> +-+-+-+-+-+-+-+-+-
>> Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St.
>> Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
>> Office:    508-249-1257, Mobile:   978-500-2546, [hidden email]
>> +-+-+-+-+-+-+-+-+-
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>>[mailto:[hidden email]] On Behalf Of Stephan
>>Mühlstrasser
>> Sent: Tuesday, April 29, 2014 4:48 AM
>> To: Tim Hudson; [hidden email]
>> Subject: Re: State of EBCDIC support in OpenSSL
>>
>> Am 29.04.14 10:28, schrieb Tim Hudson:
>>> Bug reports on EBCDIC with patches are definitely interesting as there
>>> is an active community of OpenSSL z/OS users - at the very least the
>>> other users will benefit from any work you have already done.
>>
>> I can provide bug reports, but at the moment I cannot promise that I
>>can come up with corresponding patches as well.
>>
>> I did some research in the OpenSSL mailing list archives, and from that
>>I have the impression that there's little activity from OpenSSL z/OS
>>users over the last few years. Are there other places where you see the
>>"active community of OpenSSL z/OS users"?
>>
>>> For the broader context I think you'll find the issue for handling
>>> such platforms will usually be the typical one of regular platform
>>>access.
>>> Checking, adjusting, and confirming patches which are platform
>>> specific that are non-trivial basically requires access to the
>>>platform.
>>>
>>> One thing to consider is if you (or anyone else) is able to provide
>>> permanent (or semi-permanent) access (via ssh) to a z/OS platform with
>>> USS installed that places the user into a standard shell environment
>>> with the compilers accessible.
>>
>> I'm sorry, but I can't help with platform access, as we only have a
>>z/OS development system for porting our software, not even a real
>>zSeries machine.
>>
>> I would expect that IBM itself should be interested in a working
>>OpenSSL port for zSeries. We have a very old version of OpenSSL on our
>>system that we downloaded from the IBM website in the past. This version
>>is for example able to print out certificates correctly.
>>
>> Today the IBM website about open source software available for z/OS
>>point to openssl.org for getting OpenSSL:
>>
>> http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html
>>
>> "The free unsupported version of OpenSSL previously offered here is no
>>longer available. Instead, we refer you to the functionally equivalent
>>version available from the official OpenSSL project website."
>>
>> If someone from IBM is reading this, please consider the request by Tim
>>for access to a z/OS platform.
>>
>> Stephan
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]