LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-08 07:40

Hi,
As some of you allready know, OpenSSL 1.0.2.x series is outdated and will be replaced by the allready avaiable
OpenSSL 1.1.x Branch. Unfortently, the new branch breaks hMailServers code and is redesigned in many ways.
Take a look if you interrested in the debate about this crap decision: https://github.com/openssl/openssl/issues/962

However, instead of migrating to the 1.1.x branch, i tested LibreSSL 2.8.1 (maintained and developed by the OpenBSD Operatingsystem Project) and it compiles like a charm! IMHO LibreSSL's mainfocus is overall security and i think its
a much more secury SSL-Library then the old OpenSSL 1.0.x and even the new OpenSSL 1.1.x branch.

I testinstalled it with the internal MS-SQL-CE Database, activated TLS/SSL Support (STARTTLS and TLS/SSL)
and take a carefull look at the logs, loggend into a newly created email account with Thunderbird and i notices no
erros in the logs and Thunderbird works normally.

But: Its a new feature and we should test it carefully! Any testing and feedback is appreciated.

Installer Download:
https://github.com/Dravion/hmailserver/ ... SL-x64.exe

Screenshot
Untitled.jpg
Attachments
LibreSSL_Connection_Log_hmailserver_2018-10-08.7z
(5.5 KiB) Downloaded 283 times

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by mattg » 2018-10-08 15:14

Did LibreSSL just bolt in with no changes to hMailserver code?

I would love to test, but I am addicted to the extra stuff that RvdH puts into their builds
http://www.hmailserver.com/forum/viewto ... 60#p203420
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-08 15:36

mattg wrote:
2018-10-08 15:14
Did LibreSSL just bolt in with no changes to hMailserver code?

I would love to test, but I am addicted to the extra stuff that RvdH puts into their builds
http://www.hmailserver.com/forum/viewto ... 60#p203420
Thats correct.It doesnt need Codechanges but i had to replace some path and file settings.

If Rvdh has uploaded his changes to its own Github-hMailServer repo, i can fetch it and compile built it with LibreSSL and provide a Installer.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by mattg » 2018-10-08 15:48

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-08 16:37

I just received a message from the OpenSSL Team which reflects the Situation which will affect hMailServers
Future Development big time:
So, all existing Software must be rewritten just to be able to use 1.1.x ?
Do you have any idea how many Million lines of code are affected by this crap??

Yes, applications must be changed to use 1.1.x. This was not a change we made lightly or without an understanding of the impact on applications. It was much discussed both internally within the project and also in public forums over a long period. Largely speaking the user community has been very supportive of this change - although of course there are always people on both sides of the fence.

There are a number of problems with non-opaque structures:

The internal members of structures become part of the API, which means it is impossible for us to make any changes to any of them. This in turn makes refactoring, changing, or even just bug fixing any OpenSSL code very difficult - meaning that the code tends to ossify over time.
Changing the size or order of members in a structure has implications for ABI compatibility further restricting our ability to maintain the code
It is does not create a clear separation between internal implementation details and the application interface - meaning that applications tend to rely on specific implementation details. This makes applications brittle and further restricts the ability of the OpenSSL team to maintain the code
In order to deal with the above problems the OpenSSL maintainers were forced into tortuous contortions in the code in order to implement workarounds.
Making this change was necessary for us to have a healthy OpenSSL moving forwards. Without it, it would have been impossible for us to make major improvements to the code such as the state machine refactor. Implementing TLSv1.3 (as in 1.1.1) would have been extremely difficult (maybe impossible) without making this change. While it does require applications to make changes the vast majority of those changes are quite straightforward and simple to do. Very many applications have already done so.
You can follow it in full lenght here https://github.com/openssl/openssl/issu ... -427752560

Conclusion
OpenSSL has decided to make radical changes to its new OpenSSL 1.1.x series which is now allready the new defacto
Standard of the OpenSSL-Project. hMailServer mandatory requires on OpenSSL 1.0.2.x and cannot adapt and move on to the new OpenSSL version without major codechanges (it simply doesnt compile anymore, you get over 200 Compiler Errors on
a Syntax level (functions and structures cannot be found anymore) and no hMailServer.exe can be created anymore).

To make things worse:
OpenSSL 1.0.2.x will only be updated for a short time period because its allready marked as EOL and deprecated.
This will lead us into a situation where no new security vulnerabilities in OpenSSL 1.0.2.x will be fixed anymore and
hMailServer will suffer the consequences.

My response was
Thats no excuse. I just downloaded the latest version of LibreSSL 2.8.1 which was forked as resul of the Heatbleed security meltdown in OpenSSL and to my surprise, it works perfectly without changing 1 Line of code of our Codebase. Sorry OpenSSL Team, you messed it up again big time.
IMHO: I think we should stick with LibreSSL. Its more secure and doesnt force us to rewrite portions of hMailServers SSL/TLS code and just work without any compromise.

User avatar
katip
Senior user
Senior user
Posts: 1158
Joined: 2006-12-22 07:58
Location: Istanbul

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by katip » 2018-10-08 20:12

Dravion wrote:
2018-10-08 16:37
IMHO: I think we should stick with LibreSSL. Its more secure and doesnt force us to rewrite portions of hMailServers SSL/TLS code and just work without any compromise.
Dravion, yesterday i replaced my HMS at home with your x64 build (my first x64 HMS experience) and today another time with your LibreSSL version. till this moment, no single error or any other inconvenience. if this is the path to go you mean, we go and see :wink:
new year approaching. could be a good warmup to consider an x64 version & new SSL/TLS support on our production site. thanks a lot for your efforts.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

prisma
Senior user
Senior user
Posts: 325
Joined: 2010-07-09 13:16

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by prisma » 2018-10-11 11:20

Please let me annotate following:

What does Martin say to those trends? OK, core development is slow. But to be honest, for us, hmailserver works pretty perfect and the bug list is rather short in relation to other projects. openSSL 1.0.2.x is supported until 31.12.2019 from what I read. Let's give Martin a chance to refactorize openSSL integration until this date.

On the other hand: If you all say this is no realistic option, there is always the option to do an "official" opensource fork where many people contribute and many people do testing. And, let's give it a new name. But the trend to have multiple forks where one person per fork contributes code, and some people do testing does not make much sense (for us).

Or did I miss some basic news? Due to the fact it's so silent here and we have no problems with hMailserver, I'm not very often in this forum (which is paid by Martin, isn't it?). So excuse if I'm possibly not up to date.

AND this annotation is not meant to lower the respect for the dedication and work of all contributors, supporters and testers. Please don't misunderstand my posting. Thank you to all of you!

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-11 12:27

@Prisma
Refactoring the code til it works nicely with hMailServer isnt a easy task.Right now it raises over
200 compilation errors while LibreSSL just works and is more security focused. Its up to Martin but if the refactoring work isnt completed end of next Year, we have a major security Problem.

IMHO: With LibreSSL we have a realistic and easy way out of this mess.

The next Problem will be Visual Studio 2013.
It allready entered the state of EOL and runs in extended maintenance mode and we are stuck right now with it because Visual Studio 2015 and 2017 cant compile hMailServer and raises dozens of build errors.This one will not be as easy to solve as the OpenSSL/LibreSSL replacement.

prisma
Senior user
Senior user
Posts: 325
Joined: 2010-07-09 13:16

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by prisma » 2018-10-11 13:59

@dravion: the question is not whether your work is necessary or not. Of course it is, I think your analysis helps Martin to decide. If he runs better with libreSSL, here we go (or he should :D ). The basic question is more like: Is it realistic to wait for any kind of improvements in general? Especially regarding the EOL VS 2013 theme... What are Martins plans for the next years?

There are developers, supporters, testers and a lot of users, what else needs an open source project? Sad that all the knowledge and dedication isn't bundled into one agile improving project. In best case of course into the origin project. That's what I meant.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-11 14:25

Thats right.But we need to know for example if LibreSSL can be used or if it throws any Errors. I informed Martin on Github about it and i think he will take a look into it.

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by RvdH » 2018-10-12 02:04

I disagree, I think it is a very big plus the guys at OpenSSL finally try to get some things right, sticking with LibreSSL means we are stucked with the spaghetti code OpenSSL is finally trying to get rid off

For the long term, stick with OpenSSL...it only can get better!
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-10-12 05:27

Sorry, but i disagree.

OpenSSL has a terrible trackrecord regarding security. In fact its that bad that even Google decided to do its own fork after providing over 70 patches to get rid of the worst bugs.LibreSSL is developed and maintained by the OpenBSD Operating System Project Team, which is verry well known for its outstanding security trackrecord.The first thing the LibreSSL Project did was, to eliminate 90.000 Lines of dead or not longer needed code (for example things like Intel big endian 386, MS-DOS, Win 16-Bit, OS/2, VMS-Alpha, ect) without loosing any API/ABI comaptablilty.Regarding security features, the LibreSSL Team added allready verry valuable code quality improvements, as you can see in the list below:

A list about changes and improvements allready done by the LibreSSL Team

Memory related
-Buffer overflow protection (securing strlcpy, calloc, asprintf, reallocarray) calls in a safe and reliable way
-Crossplatform ASLR, NX bit and stack canaries Anti exploiting Compiler features are by default enabled
-Fixes for potential double free, including of explicit assignments of null pointer values
-Extra sanity checks (ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns)

Proactive measures
-Compiler options security Features are enabled by default (-Wall, -Werror, -Wextra, -Wuninitialized)
-LibreSSL is year 2038 compatible on all supported Platforms (Linux, Windows, MacOS, Linux, Unix + Multiple Compilers)
-In addition, explicit_bzero and bn_clear calls were added to prevent attackers from reading previously allocated memory

Cryptographie
-Changes for proper seeding of random number via replacements of insecure seeding practices
-Added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305)
-Adding of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength)

IMHO:
I think LibreSSL will add real value in terms of code quality and advanced security plus it doesnt forces us to change 1 line of code.We just need to change the Include and Library directory path in Visual Studio 2013 to get ready for build.
The Installer must changed (regardless if you use OpenSSL 1.1.x or LibreSSL because filenames of the DLL's had changed). In the Installer we just need to add libcrypto-1_1-x64.dll and libssl-1_1-x64 to receive a functioning hMailServer 5.6.8 Installer.

Hint: Its allready be done, you can test my proof of concept hMailServer 5.6.8 Installer with LibreSSL support
https://github.com/Dravion/hmailserver/ ... SL-x64.exe

References
Interview regarding why the OpenBSD forked LibreSSL
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
https://arstechnica.com/information-tec ... essl-fork/

LibreSSL by Ted Unangst at BSDCon
https://www.youtube.com/watch?v=WFMYeMNCcSY

LibreSSL, almost Two Years Later - Brent Cook
https://www.youtube.com/watch?v=Yg3iPoZzt2Q

However:
I will continue to provide 64-Bit hMailServer Editions with the latest OpenSSL 1.0.2.x maintenance release
(as long as possible) plus a Edition with the latest LibreSSL support.Iam ok with a OpenSSL 1.1.x version but someone
needs to do the necessary hMailServer codechanges to get things going, but as you allready know, my favorive is LibreSSL :D

raidensnake
New user
New user
Posts: 11
Joined: 2018-09-22 10:26

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by raidensnake » 2018-11-26 22:01

Your links are dead as you deleted your repo.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)

Post by Dravion » 2018-11-26 23:44

For latest Innosetup x64 (Classic Installer) (shared) build use this Link (it comes with latest OpenSSL Libs)
https://github.com/hMailServer-ComDevs/ ... r/releases

For hMailServer x64 with LibreSSL 2.8.1 (static) use this Installer, but keep in mind the new MSI Installer isnt ready yet for
Production.Its works, but it doesnt cover the 1:1 functions of the Classic installer right now fully.
https://github.com/hMailServer-ComDevs/builds/releases

Keep in mind the following issues
1) If your want to use the Internal DB, your need to Install MS-SQL-CE 4 yourself
2) Your need to invoke the DBSetup.exe manually from the C:\Program Files\hMailServer\bin\DBSetup.exe at the end of setup.

ps:
The Installer will check if .NET 4.x redost is installed or not (needed for Clienttools) and Cancels the Install if it cannot be found.

Post Reply