Discussion:
ITUGLIB Update: OpenSSL 3.0.0 Available
(too old to reply)
Randall
2021-09-08 18:07:57 UTC
Permalink
Hi Everyone,

The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.

For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.

As described in prior notices, the following builds are available for NonStop x86 (L-series) and ia64 (J-series) in OSS:

/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS

All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.

The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.

As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.

Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.

ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.

If you wish upgrade support for the 1.0.2 series, please reply to me directly.

Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
gcav
2021-09-27 13:49:02 UTC
Permalink
Hi Randall, is OpenSSL compiling out-of-the-box on OSS?
Compile is dying on http_server.c:97

Let me know,
Thanks.
gc
Post by Randall
Hi Everyone,
The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.
For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.
/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS
All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.
The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.
As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.
Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.
ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.
If you wish upgrade support for the 1.0.2 series, please reply to me directly.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Randall
2021-09-27 19:14:45 UTC
Permalink
Hi Randall, is OpenSSL compiling out-of-the-box on OSS?
Compile is dying on http_server.c:97
Let me know,
Thanks.
gc
Post by Randall
Hi Everyone,
The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.
For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.
/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS
All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.
The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.
As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.
Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.
ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.
If you wish upgrade support for the 1.0.2 series, please reply to me directly.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
3.0.0 It should compile out of the box. Which configuration are you using? What branch? What commit?
And FYI: Please provide more details. "Compile is dying on http_server.c:97" really is not helpful. Remember that we are volunteers.
Randall
2021-09-27 20:32:59 UTC
Permalink
Hi Randall, is OpenSSL compiling out-of-the-box on OSS?
Compile is dying on http_server.c:97
Let me know,
Thanks.
gc
Post by Randall
Hi Everyone,
The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.
For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.
/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS
All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.
The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.
As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.
Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.
ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.
If you wish upgrade support for the 1.0.2 series, please reply to me directly.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Near as I can tell, you are trying to build something that may not work. Have you tried:

./Configure nonstop-nsx

and then the build using make as a starting point? Does that build correctly?

The error you received can only happen if HTTP_DAEMON is defined, which is not, from what I can tell, in any of the standard NonStop OSS builds for 3.0.0.
Gustavo Cavazos
2021-09-30 17:12:15 UTC
Permalink
Post by Randall
Hi Randall, is OpenSSL compiling out-of-the-box on OSS?
Compile is dying on http_server.c:97
Let me know,
Thanks.
gc
Post by Randall
Hi Everyone,
The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.
For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.
/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS
All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.
The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.
As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.
Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.
ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.
If you wish upgrade support for the 1.0.2 series, please reply to me directly.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
./Configure nonstop-nsx
and then the build using make as a starting point? Does that build correctly?
The error you received can only happen if HTTP_DAEMON is defined, which is not, from what I can tell, in any of the standard NonStop OSS builds for 3.0.0.
Sorry, for late response...

I downloaded the tarball from:
https://www.openssl.org/source/openssl-3.0.0.tar.gz

And was using:
./Configure nonstop-nsx_g_tandem --prefix=${PWD} --openssldir=${PWD}/ssl no-threads --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}

as specified in NOTES-NONSTOP.md
That last one broke on HTTP_DAEMON.

Using
./Configure nonstop-nsx_g runs ok. But I cant find the guardian libs "ssl" "crypto"

I will keep working on it.
Thanks.
gc
Randall
2021-09-30 19:43:26 UTC
Permalink
Post by Gustavo Cavazos
Post by Randall
Hi Randall, is OpenSSL compiling out-of-the-box on OSS?
Compile is dying on http_server.c:97
Let me know,
Thanks.
gc
Post by Randall
Hi Everyone,
The new official general release, OpenSSL 3.0.0, is now available on the ITUGLIB website. Prior 3.0.0 beta releases have been deleted. Other threads, including 1.1.1 and 1.0.2 are still on the website, although 1.0.2 is no longer being updated.
For change information, consult https://www.openssl.org/news/openssl-3.0-notes.html. You can find a migration guide at that address.
/usr/local-ssl3.0/lib - 32-bit unthreaded
/usr/local-ssl3.0/lib64 - 64-bit unthreaded
/usr/local-ssl3.0/lib64-put - 64-bit POSIX User Threads (PUT)
/usr/local-ssl3.0/lib-spt - 32-bit Standard POSIX Threads (SPT), requires FLOSS
All builds now use IEEE float. The x86 (L-series) version uses the platform hardware randomizer, so you no longer need PRNGD for OpenSSL. There is a FIPS implementation also in the x86 (L-series) package, but certification is your responsibility.
The builds can all co-exist in the /usr/local-ssl3.0 directory structure, saving space and sharing certificates. Because the ./bin directory is not split out by memory model or thread model, the last install you do will take effect, so probably use the 64-bit unthreaded for that. This limit is likely to change in the future.
As of 3.0.0, ITUGLIB is building from the standard OpenSSL code base, which can now be obtained from GitHub. As a result, ITUGLIB does not package or ship OpenSSL source code for 3.0.0 or later releases.
Please remember to be careful with any downloads and import/export restrictions that may apply to you. You are 100% responsible for operating within the law.
ITUGLIB will endeavor to continue to build 3.0.0 and 1.1.1 while those releases are supported. If you want to build your own copy of 3.0.0, download the source tarball from https://www.openssl.org, or obtain the git copy from GitHub for the full commit history and signatures of each change - remember to checkout and build from the appropriate tag. Build recipes are documented in the NOTES-NONSTOP.md file in the top directory of the OpenSSL package.
If you wish upgrade support for the 1.0.2 series, please reply to me directly.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
./Configure nonstop-nsx
and then the build using make as a starting point? Does that build correctly?
The error you received can only happen if HTTP_DAEMON is defined, which is not, from what I can tell, in any of the standard NonStop OSS builds for 3.0.0.
Sorry, for late response...
https://www.openssl.org/source/openssl-3.0.0.tar.gz
./Configure nonstop-nsx_g_tandem --prefix=${PWD} --openssldir=${PWD}/ssl no-threads --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
as specified in NOTES-NONSTOP.md
That last one broke on HTTP_DAEMON.
Using
./Configure nonstop-nsx_g runs ok. But I cant find the guardian libs "ssl" "crypto"
I will keep working on it.
Thanks.
gc
I must apologize but ITUGLIB does not perform tests of OpenSSL in the GUARDIAN space because of precedence of the product from comforte, NonStop SSL. It has priority for SSL in the GUARDIAN space, which ITUGLIB will not attempt to circumvent. Our only testing, both build and test, involve the OSS packages described here, on the ITUGLIB website, and in the NOTES-NONSTOP.md file in the OpenSSL package. The nonstop-nsx_g_tandem is a historical package from 1.1.1 that was not ported or tested by our team - it was kept for other teams who may be using it. Perhaps others may be able to help, but I cannot.

However, just reading the configuration entry you are using, I am not sure it would be able to build a GUARDIAN DLL named properly. The critical line, in Configurations/50-nonstop.conf that may be impacting your build is:

shared_ldflag => '-Wshared -Wxld="-soname $(@:lib%.so=%)"',

You can try adding LDFLAGS= something else, to place the library where you want it to go. There were issues in the make install command found by the OpenSSL team, which were removed by removing the -soname argument in OSS builds.

Sincerely,
Randall
On behalf on the ITUGLIB Technical Committee, Nexbridge Inc., and myself.
gcav
2021-09-30 23:02:46 UTC
Permalink
Post by Randall
I must apologize but ITUGLIB does not perform tests of OpenSSL in the GUARDIAN space because of precedence of the product from comforte, NonStop SSL. It has priority for SSL in the GUARDIAN space, which ITUGLIB will not attempt to circumvent. Our only testing, both build and test, involve the OSS packages described here, on the ITUGLIB website, and in the NOTES-NONSTOP.md file in the OpenSSL package. The nonstop-nsx_g_tandem is a historical package from 1.1.1 that was not ported or tested by our team - it was kept for other teams who may be using it. Perhaps others may be able to help, but I cannot.
You can try adding LDFLAGS= something else, to place the library where you want it to go. There were issues in the make install command found by the OpenSSL team, which were removed by removing the -soname argument in OSS builds.
Sincerely,
Randall
On behalf on the ITUGLIB Technical Committee, Nexbridge Inc., and myself.
No problem Randall,
I will tweak it and make it work.

Thanks
gc.

Loading...