Weak SSL Ciphers

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
JoeMadden
New user
New user
Posts: 1
Joined: 2013-06-14 18:41

Weak SSL Ciphers

Post by JoeMadden » 2013-06-14 18:47

Hi there,

I was wondering you had any plans to address Weak SSL chipers in any of your next builds?

Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

It would be nice if it were possible to choose between SSL chipher versions!

Cheers

Joe.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Weak SSL Ciphers

Post by ^DooM^ » 2013-06-14 21:56

Is this for pci compliance? If so see http://blog.zenone.org/2009/03/pci-comp ... -weak.html
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-02 19:59

Hi All,

The Blog post in ZenOne mentioned below doesn't address our problem: it speaks to IIS configuration, which we've already implemented, and we've confirmed that it doesn't address our hMailServer configuration issues.

Is there a way to explicitly disable hMailServer support for weak ciphers through some configuration (we are not using OpenSSL)?

Any help is appreciated,
Brian

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-02 21:45

Look at the newer experimental builds. There are new INI settings
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-02 22:05

Thanks for your reply! Will the OpenSSL config changes suggested in:

http://www.hmailserver.com/forum/viewto ... 39#p162039

address this same issue?

Thanks,
Brian

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-02 22:14

you linked to your own post lol
Here read this:
http://www.hmailserver.com/forum/viewto ... 31#p160731
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-02 22:20

Doh! Sorry about that, here's the actual link:

http://www.hmailserver.com/forum/viewto ... 56#p159071

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-02 22:25

p.s. We're running a production server processing thousands of messages each day, so 'experimental builds' won't work for us.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-02 22:39

BrianSBoyd wrote:p.s. We're running a production server processing thousands of messages each day, so 'experimental builds' won't work for us.
then you are out of luck. only my experimental builds have the ini options of ssl. no idea when official builds will have the changes.

if helps many people use the experimentals on production server including myself with 100's of users & I know of at least one ISP that does with 1000's on many servers. For the most part they are stable unless noted but obviously there are risks. Risks that need to be weighed with the needs of features not in official builds.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-03 18:05

Thanks for your quick responses. We won't get approval for using experimental builds in production, and we need to disable these weak ciphers for DTAAP certification. I know you say that you have no idea, but is it possible that this could be added within an official release within two months?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-03 23:23

BrianSBoyd wrote:Thanks for your quick responses. We won't get approval for using experimental builds in production, and we need to disable these weak ciphers for DTAAP certification. I know you say that you have no idea, but is it possible that this could be added within an official release within two months?
See now you have a quandary there.. The decision of which is more important or least risk? Running an unofficial build with the SSL cipher settings you need or running an official build without those settings so you can not disable weak ciphers. While I understand the reluctance that's your call or your boss' ;)

I have no idea when martin will release the next build. It's been 1 or 2 a year and huge reason I post up the experimental builds since official releases can be few & far between so I like to make available builds with urgent bug fixes or features. But keep in mind the SSL cipher changes are only in my local copy & will not be in the official code until I have time to merge mine with martin's . Now that he has moved from SVN repo to github the process is different than before. Then once I post my changes to the fork he'll still need to review & merge them and I have no idea how long that will take, if he will accept the changes or if the official build has issues that crop up from the merging or him making desired changes to the code. One good thing is he has automated building of his official code base but he still needs to merge my code & I have no idea where those builds go or how to download so not much use lol

So as I said you are in a pickle. I'd sooner say it'd be faster to put one of the recent experimental builds on a test computer to certify it as stable than to wait out an official release but your call.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-03 23:28

Thanks for making the process clear, we'll take it from here. Cheers ... Brian

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-05 20:07

Hi Bill,

We're holding a meeting this afternoon (we're on the West Coast) with other stakeholders to decide our next steps. One possibility that I see is that we get a copy of the latest source code and modify it ourselves: rather than going through the more involved process of INI support, we would look to simply disable outright.

Is this possible? I noticed that the only code available on the site is for version 4, whereas we would want to use the source code for the latest Production Release (we're using v5.4-B1942).

Thanks again for your help,
Brian

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-05 23:31

BrianSBoyd wrote:Hi Bill,

We're holding a meeting this afternoon (we're on the West Coast) with other stakeholders to decide our next steps. One possibility that I see is that we get a copy of the latest source code and modify it ourselves: rather than going through the more involved process of INI support, we would look to simply disable outright.

Is this possible? I noticed that the only code available on the site is for version 4, whereas we would want to use the source code for the latest Production Release (we're using v5.4-B1942).

Thanks again for your help,
Brian
The official 5.4 source is still on SVN (I think it's like B1940) but has been migrated to github. Eventually the SVN will be shut down but martin has left it up as it's easier for me to prepare my local version before posting mine to github as a branch to his.

And yes if you'd prefer to go that route i can help you with what needs to be changed. (Btw it takes 2 seconds to set the INI value to the cipher string you want in my builds but if you want to go thru the trouble have at it lol)
Bill

Here check this out: has svn & github info
http://www.hmailserver.com/forum/viewto ... 10&t=21837
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-06-10 21:32

Hi Bill,

Given how we otherwise encrypt our content, independent of hMail, our Information Security Officer agreed to a temporary security exception. It is our hope that your INI changes will be integrated into a production build within the next few months.

If this doesn't happen, then we'll revisit manually updating the code.

Many thanks for your prompt responses,
Brian

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-06-11 17:02

BrianSBoyd wrote:Hi Bill,

Given how we otherwise encrypt our content, independent of hMail, our Information Security Officer agreed to a temporary security exception. It is our hope that your INI changes will be integrated into a production build within the next few months.

If this doesn't happen, then we'll revisit manually updating the code.

Many thanks for your prompt responses,
Brian
OK great. Yeah give it a try but in my testing you can set whichever ciphers you choose. Due to how BOOST library ties with openssl there are some options that are not able to be set. I have yet to make a list.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Leathwood
New user
New user
Posts: 2
Joined: 2014-07-02 12:56

Re: Weak SSL Ciphers

Post by Leathwood » 2014-07-02 13:15

Given I have recently had the same issue with PCI compliance, I shall layout the steps I took to modify the source to pass PCI. I provide this information without warranty and if anyone decides to follow what I've done be it on there own head as most of it I gathered together from the boost asio information and various stackoverflow posts.

The 2 files that need to be modified are TCPServer.cpp & TCPConnection.cpp

The choice of ciphers in sCipherList is up to you (I'm not even sure I need all of them in the sCipherList string), the following will only allow the following Ciphers when I do an SSLScan

Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA

The code to be added is

Code: Select all

std::string sCipherList = "AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA";
SSL_CTX_set_cipher_list((reinterpret_cast<boost::asio::ssl::context*>(&_context))->native_handle(), sCipherList.c_str());
*NB In TCPConnection.cpp "_context" will be "ctx" as they are named slightly differently.

TCPServer.cpp
------------------
Method: TCPServer::InitSSL()
~ln 112: After _context.set_options();

TCPConnection.cpp
------------------------
Method: TCPConnection::PrepareSSLContext(boost::asio::ssl::context &ctx)
~ln 1113: Before return true;

I hope you find this information useful.
Regards

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-07-03 03:38

Leathwood wrote:Given I have recently had the same issue with PCI compliance, I shall layout the steps I took to modify the source to pass PCI. I provide this information without warranty and if anyone decides to follow what I've done be it on there own head as most of it I gathered together from the boost asio information and various stackoverflow posts.

The 2 files that need to be modified are TCPServer.cpp & TCPConnection.cpp

The choice of ciphers in sCipherList is up to you (I'm not even sure I need all of them in the sCipherList string), the following will only allow the following Ciphers when I do an SSLScan

Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA

The code to be added is

Code: Select all

std::string sCipherList = "AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA";
SSL_CTX_set_cipher_list((reinterpret_cast<boost::asio::ssl::context*>(&_context))->native_handle(), sCipherList.c_str());
*NB In TCPConnection.cpp "_context" will be "ctx" as they are named slightly differently.

TCPServer.cpp
------------------
Method: TCPServer::InitSSL()
~ln 112: After _context.set_options();

TCPConnection.cpp
------------------------
Method: TCPConnection::PrepareSSLContext(boost::asio::ssl::context &ctx)
~ln 1113: Before return true;

I hope you find this information useful.
Regards
Thanks for the info but you realize INI's were added to allow you to set those without editing the source?
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Leathwood
New user
New user
Posts: 2
Joined: 2014-07-02 12:56

Re: Weak SSL Ciphers

Post by Leathwood » 2014-07-03 08:36

Thanks for the info, but as BrianSBoyd mentions experimental builds aren't permitted for everyone (including myself). So I was just trying to help those who can't use those.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-07-03 18:29

Leathwood wrote:Thanks for the info, but as BrianSBoyd mentions experimental builds aren't permitted for everyone (including myself). So I was just trying to help those who can't use those.
How is you building it yourself any less experimental? Guess to each his own but yes for anyone who need to set cipher without building hmail on their own just use the INI settings. Hopefully some time soon i'll get mine sync'd with martin's official then official releases will have my changes too just not had time.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-07-03 18:42

Thanks Leathwood, we may have to go this route.

And thanks Bill: we ultimately hope that, within the next couple of months, you'll be able to sync up these changes with Martin's so that we can move forward with an official Production release.

Cheers,
Brian

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Weak SSL Ciphers

Post by prisma » 2014-07-08 17:59

@Bill: Only because I'm curious:
I don't know SVN very well, I only now GIT. With GIT I'd do following:

In GIT you have branches and local and remote masters/origins. If I would program a fork (that's what you actually do) I would put every improvement and new feature in an own branch. These branches have to be merged into you local master/origin for the fork release. If Martin wants to pick specific features you'd push your specific branch into his remote repository. Then he only has to merge this branch into his master for official release.

But how you do this with SVN? Do you send Martin files via email and he merges your changes manually and line by line??

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Weak SSL Ciphers

Post by Bill48105 » 2014-07-08 20:56

prisma wrote:@Bill: Only because I'm curious:
I don't know SVN very well, I only now GIT. With GIT I'd do following:

In GIT you have branches and local and remote masters/origins. If I would program a fork (that's what you actually do) I would put every improvement and new feature in an own branch. These branches have to be merged into you local master/origin for the fork release. If Martin wants to pick specific features you'd push your specific branch into his remote repository. Then he only has to merge this branch into his master for official release.

But how you do this with SVN? Do you send Martin files via email and he merges your changes manually and line by line??
thx for the info. the issue is 2 fold. one is sure I can post up mine as a branch but that doesn't get my changes into the official code, that requires martin to review & accept/merge. That gets us to the 2nd issue in that most changes span multiple files. Sure no biggie if just one change has happened but since it's been like a year or more all the changes are nested & mixed so it'd be nearly impossible to discern (especially for martin who didn't do them) which changes are for one thing & which are another without big risks of introducing bugs or changes that don't function properly. In essence he'd have to review each & every change to 'learn' what I did & why & if you look at the change log of mine there are TONS. Granted I take extreme care to avoid changes that interfere with the default behavior of hmail (iow default to the 'old way' unless it's a bug where old way would not be desired) so it might just be easiest for martin to look at my list & unless something appeared obviously objectionable to be in official, for him to just mass accept them all & undo changes if more were OK than not. To add to the pain martin made changes to the official that now conflict with my changes so mass accepting all of mine may not even be possible any more. And of course all of this assumes martin even has time to do it or when as he's MIA for months at a time unless there is something urgent like the SSL stuff.

The old way on SVN I had write access so I'd run tortoise & look at the changed files grouping them into compatible batches & commit changes in those small batches with detailed descriptions of what was changed in that batch. That way if martin had issues he could undo or modify one batch without dealing with all changes at once. Eventually I'd have all mine committed to the SVN repo & we'd be 'in sync' without him having to do anything unless there was a known problem or at his leisure when he reviewed the change logs. Github makes it easy to have a fork/branch to maintain yourself but seems it puts burden of work on the owner of the master to deal with merges. Perhaps I'm not familiar enough with github & could be wrong but that seemed to be the caveat.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Weak SSL Ciphers

Post by prisma » 2014-07-09 10:30

GIT does not imperatively mean github. We prefer local installations. GIT is not a centralizing system. There is no real master repository.
Nothing feels more risky than a migration to another code management system. But github could do this work. I think they have SVN and GIT access the same time. But I don't now github very well. Anyway...

All you wrote sound like you guys would better use GIT than SVN. GIT seems to be more a solution than a challenge for all the described issues. GIT is not single-file-based, it's whole-directory-based. Also keeping multiple origins/masters in sync is of course already build in because of the decentralized system.

But all possibilities of GIT (and similar working systems) start with the discipline to put every single feature into an own branch. If this wasn't done in the past, it'll be more and more difficult in the future. I'd take a look at GIT, Bill (and Martin).

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-07-09 22:11

prisma, the idea with feature branches can be discussed. There are plenty of downsides with it, and I see it as a code smell rather than something good.

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Weak SSL Ciphers

Post by prisma » 2014-07-10 11:53

martin wrote:I see it as a code smell rather than something good.
The situation is how it is. My suggestions how to handle the situation in a better way has nothing to do with the basic situation.

But one thing is clear now and in future, you're the master. Linus Trovalds decides also nearly alone which improvements find its way to the kernel. And that's OK. But he uses GIT to handle it :)

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-07-10 17:55

hMailServer is also built off Git......

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: Weak SSL Ciphers

Post by prisma » 2014-07-29 09:51

martin wrote:hMailServer is also built off Git......
The misunderstanding was, Bill wrote he doesn't know GIT very well. For this reason I assumed (wrong) GIT is not used. Sorry.
Yeah, then the idea with feature branches is very discussable...

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-08-06 15:17

Configuration of SSL/TLS ciphers will be part of the next release.

(In hMailServer Administrator, it will be possible to specify which ciphers are permitted)

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-08-06 17:03

Excellent, thanks! (New release by year-end?)

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-08-06 20:55

I'm running the beta on my server already. I just tested the limitation of ciphers and it seems to work:
https://starttls.info/check/46.163.109.39 (this site is buggy, but it works fairly OK)

What is left is
1) More testing
2) CRL-handling. This is not tested at all yet and I'm not sure if it's working or not.
3) Update of PHPWebAdmin to include the UI-changes for the new stuff

Beta should be available within a few days. I just want to run it for a while myself first to make sure there's no obvious glitches.

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-08-06 23:05

Thanks Martin. We'll wait until it's been certified as a Production build. Our time frame is October, does a Production release seem likely by then?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-08-10 10:32

Yes, should be done by October.

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-08-11 05:55

Great to hear, thanks.

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-09-24 23:46

Hi Martin,

Does it still seem that there will be a new Production release in October with the ability to configure to not support Weak SSL Ciphers?

Thanks,
Brian

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-09-25 12:19

I put up version 5.5 as a production release which supported this. But then it turned out that a couple of users experienced issues with the build so I temporarily removed it from the list of production releases. So what looked like a good time plan is now a bit more unsure I'm afraid. :-\

I'm running a version in production myself now, but depending on when in october you're installing the risk will vary a bit. :-\

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-09-25 17:55

Hi Martin,

Thanks for the info. Our timeline is to have this installed and thoroughly tested within all of our environments by the end of year. Given Thanksgiving and the New Year holidays, we figure that early November would be the absolute latest that would work for us.

We'll check back in October and see how this is coming along.

Thanks for your work!

Brian

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-10-17 00:40

Hi Martin,

With SSLV3 becoming an even greater concern, is progress being made on this version of hMailServer to disable weak ciphers via config?

Thanks!

Brian

User avatar
mattg
Moderator
Moderator
Posts: 20143
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Weak SSL Ciphers

Post by mattg » 2014-10-17 00:49

viewtopic.php?f=7&t=27208&p=167965#p167965

Also 5.5.2 is listed as current release (Not Beta)
https://www.hmailserver.com/download

This includes the latest Open SSL build - https://hmailserver.com/changelog
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-10-19 20:32

Thanks mattg. Any date for v5.6? This release has the features that we need to continue using hMailServer.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Weak SSL Ciphers

Post by percepts » 2014-10-19 20:35

Martin has been beavering away, 5.6 is already in Beta if you want it now.

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-10-20 00:33

Thanks, unfortunately beta isn't good enough (as related previously in this post). Looking forward to the Production release.

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-07 19:14

Hi Martin,

We're nearing the date when we have to make a go/no-go decision with hMailServer.

Does it look like v5.6 will be promoted to Production by Thanksgiving?

Thanks,
Brian

User avatar
mattg
Moderator
Moderator
Posts: 20143
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Weak SSL Ciphers

Post by mattg » 2014-11-08 04:44

When is thanksgiving for those of us outside USA??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ArenICT
New user
New user
Posts: 5
Joined: 2014-09-17 18:35

Re: Weak SSL Ciphers

Post by ArenICT » 2014-11-08 15:57

mattg wrote:When is thanksgiving for those of us outside USA??
According to wikipedia:

2nd Monday in October (Canada)
1st Thursday in November (Liberia)
Last Wednesday in November (Norfolk Island)
Fourth Thursday in November (USA)

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-11 19:19

Apologies, does it look like v5.6 will be promoted to Production by the 'Fourth Thursday in November (USA)' [Nov 27th]? Thanks .. Brian

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Weak SSL Ciphers

Post by martin » 2014-11-12 13:04

Yes, there's no more big changes planned. I would say that it's already production ready... I've been using it in production for 3 weeks. It's more of a timing issue, that I don't want to release new versions too often.

Unless some critical issue is found, it will be released the 19'th of november.
Martin Knafve
martin@hmailserver.com
https://twitter.com/knafve

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-12 18:46

Great to hear, Martin! Thanks for all of your work and the work of your team.

Brian

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-20 01:28

Version 5.6 - Build 2145 (2014-11-13) - Production

Thanks!

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-20 19:00

Hi,

Can you point us to documentation that allows us to leverage this new ability to disable weak ciphers?

Does this also include ability to disable plain text authentication?

Thanks,
Brian

User avatar
mattg
Moderator
Moderator
Posts: 20143
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Weak SSL Ciphers

Post by mattg » 2014-11-21 00:31

documentation is a little lite on...

https://www.hmailserver.com/documentati ... e_security
SSL/TLS ciphers

Use this setting to override the ciphers which hMailServer will allow for encrypting SSL/TLS connections. This should be entered in OpenSSL cipher list format.


https://www.hmailserver.com/documentati ... otocolsmtp
See RFC Compliance >> Allow plain text authentication

In the Admin GUI this is
Settings >> Protocols >> SMTP >> RFC Compliance >>Allow plain text authentication
(de-select this option)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

BrianSBoyd
New user
New user
Posts: 23
Joined: 2014-06-02 19:26

Re: Weak SSL Ciphers

Post by BrianSBoyd » 2014-11-21 01:00

Many thanks for the quick reply. -Brian

Post Reply