These are the instructions for building SSL .081 for use with the OSU
server, the MST version, using DEC C.  Gnu C would probably also work as it
is all done /standard=ansi89, just keep in mind that __VMS needs to be 
defined.  (It will NOT work with VAXC - get a real compiler, a recent Gnu C
for VAX is better than VAXC.) 

This will also build the SSL_TASK program, which you need for the DECNET
version of SSL, or you can build SSL_ENGINE (a more recent version that
should probably be used instead) but if you're going to use one of these,
you are on your own starting around step 6, below. Some of the extra pieces
(.opt,.h) are left in the top of the SSLeay distribution and you need to
move them to the appropriate places.   SSL_ENGINE must be moved to 
[.base_code] and built there.

1.  Download and unpack SSLeay .081 from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.8.1.tar.gz

2.  Unpack this .zip file over it.  Then put the OpenVMS changes in place with
 
    $ @patch_with_diff.com

    Define a symbol (not a logical) for the top of the SSleay distribution

    $ topssl = f$environment("DEFAULT) - "]"
    
    Define a logical (not a symbol) for your [.base_code] area.

    $ define bcode yourdisk:[yourdir.basecode]

    $ dir/date 'topssl']tserver_ssl.c
    $ dir/date 'topssl']ssl_server_mst.c
    $ dir/date bcode:tserver_ssl.c
    $ dir/date bcode:ssl_server_mst.c

    You want the more recent versions to be in [.base_code].  If
    that is the one in the ssleay directories, do: 

    $ copy tserver_ssl.c bcode:
    $ copy ssl_server_mst.c bcode:

3.  $ Copy SSL_SERVER_MST2.OPT bcode:

3b. USA sites only need RSAREF, do instead:

        $ copy SSL_SERVER_MST2_USA.OPT bcode:ssl_server_mst2.opt

        (note the name change during copy!!!!)

        Anonymous FTP to ftp.rsa.com, follow the instructions for downloading
        RSAREF, (they have a time varying download method, you'll see.)
        Get the .tar.Z form, as the .ZIP has DOS files in it and that makes 
        DEC C very unhappy.  Unpack RSAREF into some directory (position 
        doesn't matter).  Set a symbol (not logical) THERE which contains
        the full path to that position: ie 

        $ there:==disk:[dir.rsaref]  !fill in the right values

        $ copy make_vms_rsaref.com 'there'make_vms.com
        $ set def 'there'
        $ @make_vms

        This will create a file RSAREF.OLB.

        Return to the top layer of SSLEAY-0_8_1.

        $ set def 'topssl']


4.      For OpenVMS 7.1 and up do:

        $ @make_vms  "" "anything"

        For 7.0 and earlier do:

        $ @make_vms  ""

        (this will take a while, the build should
        be completely clean though. The P1 flag would have enabled
        debugging, the P2 flag sets the PTHREAD_USE_D4 define, which
        is needed on 7.1 and up due to changes in the pthreads library.
        Thanks to Greg Thomas for supplying this information.)

4b. USA sites only, do instead

    $ @make_vms 'there'rsaref.olb
 
5.  To build the SSL pieces into the OSU server, do:

   $ define ssllib 'TOPSSL'.CRYPTO], 'TOPSSL'.BIO],'TOPSSL'.SSL]

    (or wherever it is that you unpacked this)

5b. USA sites only, do instead

   $ define ssllib 'TOPSSL'.CRYPTO], 'TOPSSL'.CRYPTO.BIO], 'TOPSSL'.SSL], 'THERE'

6.  Then move to the [.base_code] subdirectory of your OSU server, do:

   $ cc ssl_server_mst.c
   $ cc tserver_ssl.c
   $ @link_tcpshare ssl "" ssl_server_mst2/option

7.  If you have not already done so.  Examine the two files
    provided:

     HTTP_SYSTARTUP.COM 
     TSERVER_TCPSHR_INSTALL.COM

    You need to have these, or something like them, in
    your [.SYSTEM] area.

  (Be sure that your .PEM file is pointed to by the wwwssl_mst_certificate
  logical, and that all wwwssl_mst_* logicals are /sys/exec!!!)

8. Restart the server from a priv'd account:

   $ @http_startup <server account name>

   Fill in whatever you used for <server account name>, ie, the account you 
   set up the proxies for.

****Making a key, getting a certificate*************************************************************
9. To generate a key (MYSYSTEM.KEY), with no pass phrase,

   $ set def 'topssl'.apps]
   $! make a file with a bunch of random characters in it
   $ define/user sys$output  spotcheck.dat
   $ show system
   $! now make a key based on it, then delete the random file, so nobody
   $! can use it to crack the key.
   $ rrr :== $'topssl'.apps]genrsa
   $ genrsa -out mysystem.key -rand spotcheck.dat 1024
   $ delete spotcheck.dat;

10. Generate a file "mysystem.conf". Here is the one I used with SSLeay .066,
based on a .conf file in that distribution.  The resulting certificate
still works with .081.  The only fields I touched are at and below the
word "countryName_default"

$ create mysystem.conf
#
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE		= ./.rand

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/new_certs	# default place for new certs.

certificate	= $dir/CAcert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/CAkey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 512
default_keyfile 	= testkey.pem
distinguished_name	= req_distinguished_name
encrypt_rsa_key		= no

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= US
countryName_value		= US

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= California
stateOrProvinceName_value	= California

localityName			= Locality Name (eg, city)
localityName_default		= Pasadena
localityName_value		= Pasadena

organizationName		= Organization Name (eg, company)
organizationName_default	= Caltech
organizationName_value		= Caltech

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Biology Division
organizationalUnitName_value	= Biology Division

commonName			= Common Name (eg, YOUR name)
commonName_value		= seqaxp.bio.caltech.edu

emailAddress			= Email Address
emailAddress_value		= system@seqaxp.bio.caltech.edu
^Z (CONTROL Z)

11.  Generate a certificate request:

   $ rrr :==$'topssl'.apps]req.exe
   $ rrr -new -key mysystem.key -out mystem.csr -config mysystem.conf

12.  Use Netscape or MSIE (a browser with SSL, in any case) to connect to
     http://www.thawte.com/    (I'm not shilling for Thawte, it's just that
     they are the only ones that I know of who will issue a certificate for
     OSU/SSLeay.)  Work your way through the pages and then paste the 
     contents of "mystem.csr" in at the appropriate point.  Follow their
     directions, send them money, etc.

13.  When your certificate is ready, retrieve it from http://www.thawte.com/
     and save it as mysystem.cert, in a file.  Check that it has no 
     extraneous spaces added at the ends of lines.

     Create a .pem file by doing:

     $ append/new mysystem.cert, mysytem.key    mysystem.pem

     (If you hit a file type conflict, use an editor to do the same thing.)

14.  Before trying to get SSL going, it is a good idea to verify that your
     certificate should work with your key.  Define foreign symbols or
     DCL$PATH so that x509 and rsa will run from the command line.  Then do:

     
     $ x509 -out cert.txt -text -in mysystem.cert
     $ rsa -out key.txt -text -in mysystem.key

     Look in the resulting cert.txt at "Modulus" and "Exponent" and
     compare them with the key.txt fields "modulus" and "publicExponent".
     They should be identical, meaning that the certificate and key match, so the .PEM
     should be ok.


Special thanks to D. Jones for his help getting this version running.

30-SEP-1997
David Mathog
mathog@seqaxp.bio.caltech.edu
