LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Hi,
As some of you allready know, OpenSSL 1.0.2.x series is outdated and will be replaced by the allready avaiable
OpenSSL 1.1.x Branch. Unfortently, the new branch breaks hMailServers code and is redesigned in many ways.
Take a look if you interrested in the debate about this crap decision: https://github.com/openssl/openssl/issues/962
However, instead of migrating to the 1.1.x branch, i tested LibreSSL 2.8.1 (maintained and developed by the OpenBSD Operatingsystem Project) and it compiles like a charm! IMHO LibreSSL's mainfocus is overall security and i think its
a much more secury SSL-Library then the old OpenSSL 1.0.x and even the new OpenSSL 1.1.x branch.
I testinstalled it with the internal MS-SQL-CE Database, activated TLS/SSL Support (STARTTLS and TLS/SSL)
and take a carefull look at the logs, loggend into a newly created email account with Thunderbird and i notices no
erros in the logs and Thunderbird works normally.
But: Its a new feature and we should test it carefully! Any testing and feedback is appreciated.
Installer Download:
https://github.com/Dravion/hmailserver/ ... SL-x64.exe
Screenshot
As some of you allready know, OpenSSL 1.0.2.x series is outdated and will be replaced by the allready avaiable
OpenSSL 1.1.x Branch. Unfortently, the new branch breaks hMailServers code and is redesigned in many ways.
Take a look if you interrested in the debate about this crap decision: https://github.com/openssl/openssl/issues/962
However, instead of migrating to the 1.1.x branch, i tested LibreSSL 2.8.1 (maintained and developed by the OpenBSD Operatingsystem Project) and it compiles like a charm! IMHO LibreSSL's mainfocus is overall security and i think its
a much more secury SSL-Library then the old OpenSSL 1.0.x and even the new OpenSSL 1.1.x branch.
I testinstalled it with the internal MS-SQL-CE Database, activated TLS/SSL Support (STARTTLS and TLS/SSL)
and take a carefull look at the logs, loggend into a newly created email account with Thunderbird and i notices no
erros in the logs and Thunderbird works normally.
But: Its a new feature and we should test it carefully! Any testing and feedback is appreciated.
Installer Download:
https://github.com/Dravion/hmailserver/ ... SL-x64.exe
Screenshot
- Attachments
-
- LibreSSL_Connection_Log_hmailserver_2018-10-08.7z
- (5.5 KiB) Downloaded 283 times
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Did LibreSSL just bolt in with no changes to hMailserver code?
I would love to test, but I am addicted to the extra stuff that RvdH puts into their builds
http://www.hmailserver.com/forum/viewto ... 60#p203420
I would love to test, but I am addicted to the extra stuff that RvdH puts into their builds
http://www.hmailserver.com/forum/viewto ... 60#p203420
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Thats correct.It doesnt need Codechanges but i had to replace some path and file settings.mattg wrote: ↑2018-10-08 15:14Did LibreSSL just bolt in with no changes to hMailserver code?
I would love to test, but I am addicted to the extra stuff that RvdH puts into their builds
http://www.hmailserver.com/forum/viewto ... 60#p203420
If Rvdh has uploaded his changes to its own Github-hMailServer repo, i can fetch it and compile built it with LibreSSL and provide a Installer.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
This one I think >> https://github.com/RvdHout/hmailserver
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
I just received a message from the OpenSSL Team which reflects the Situation which will affect hMailServers
Future Development big time:
Conclusion
OpenSSL has decided to make radical changes to its new OpenSSL 1.1.x series which is now allready the new defacto
Standard of the OpenSSL-Project. hMailServer mandatory requires on OpenSSL 1.0.2.x and cannot adapt and move on to the new OpenSSL version without major codechanges (it simply doesnt compile anymore, you get over 200 Compiler Errors on
a Syntax level (functions and structures cannot be found anymore) and no hMailServer.exe can be created anymore).
To make things worse:
OpenSSL 1.0.2.x will only be updated for a short time period because its allready marked as EOL and deprecated.
This will lead us into a situation where no new security vulnerabilities in OpenSSL 1.0.2.x will be fixed anymore and
hMailServer will suffer the consequences.
My response was
Future Development big time:
You can follow it in full lenght here https://github.com/openssl/openssl/issu ... -427752560So, all existing Software must be rewritten just to be able to use 1.1.x ?
Do you have any idea how many Million lines of code are affected by this crap??
Yes, applications must be changed to use 1.1.x. This was not a change we made lightly or without an understanding of the impact on applications. It was much discussed both internally within the project and also in public forums over a long period. Largely speaking the user community has been very supportive of this change - although of course there are always people on both sides of the fence.
There are a number of problems with non-opaque structures:
The internal members of structures become part of the API, which means it is impossible for us to make any changes to any of them. This in turn makes refactoring, changing, or even just bug fixing any OpenSSL code very difficult - meaning that the code tends to ossify over time.
Changing the size or order of members in a structure has implications for ABI compatibility further restricting our ability to maintain the code
It is does not create a clear separation between internal implementation details and the application interface - meaning that applications tend to rely on specific implementation details. This makes applications brittle and further restricts the ability of the OpenSSL team to maintain the code
In order to deal with the above problems the OpenSSL maintainers were forced into tortuous contortions in the code in order to implement workarounds.
Making this change was necessary for us to have a healthy OpenSSL moving forwards. Without it, it would have been impossible for us to make major improvements to the code such as the state machine refactor. Implementing TLSv1.3 (as in 1.1.1) would have been extremely difficult (maybe impossible) without making this change. While it does require applications to make changes the vast majority of those changes are quite straightforward and simple to do. Very many applications have already done so.
Conclusion
OpenSSL has decided to make radical changes to its new OpenSSL 1.1.x series which is now allready the new defacto
Standard of the OpenSSL-Project. hMailServer mandatory requires on OpenSSL 1.0.2.x and cannot adapt and move on to the new OpenSSL version without major codechanges (it simply doesnt compile anymore, you get over 200 Compiler Errors on
a Syntax level (functions and structures cannot be found anymore) and no hMailServer.exe can be created anymore).
To make things worse:
OpenSSL 1.0.2.x will only be updated for a short time period because its allready marked as EOL and deprecated.
This will lead us into a situation where no new security vulnerabilities in OpenSSL 1.0.2.x will be fixed anymore and
hMailServer will suffer the consequences.
My response was
IMHO: I think we should stick with LibreSSL. Its more secure and doesnt force us to rewrite portions of hMailServers SSL/TLS code and just work without any compromise.Thats no excuse. I just downloaded the latest version of LibreSSL 2.8.1 which was forked as resul of the Heatbleed security meltdown in OpenSSL and to my surprise, it works perfectly without changing 1 Line of code of our Codebase. Sorry OpenSSL Team, you messed it up again big time.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Dravion, yesterday i replaced my HMS at home with your x64 build (my first x64 HMS experience) and today another time with your LibreSSL version. till this moment, no single error or any other inconvenience. if this is the path to go you mean, we go and see
new year approaching. could be a good warmup to consider an x64 version & new SSL/TLS support on our production site. thanks a lot for your efforts.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Please let me annotate following:
What does Martin say to those trends? OK, core development is slow. But to be honest, for us, hmailserver works pretty perfect and the bug list is rather short in relation to other projects. openSSL 1.0.2.x is supported until 31.12.2019 from what I read. Let's give Martin a chance to refactorize openSSL integration until this date.
On the other hand: If you all say this is no realistic option, there is always the option to do an "official" opensource fork where many people contribute and many people do testing. And, let's give it a new name. But the trend to have multiple forks where one person per fork contributes code, and some people do testing does not make much sense (for us).
Or did I miss some basic news? Due to the fact it's so silent here and we have no problems with hMailserver, I'm not very often in this forum (which is paid by Martin, isn't it?). So excuse if I'm possibly not up to date.
AND this annotation is not meant to lower the respect for the dedication and work of all contributors, supporters and testers. Please don't misunderstand my posting. Thank you to all of you!
What does Martin say to those trends? OK, core development is slow. But to be honest, for us, hmailserver works pretty perfect and the bug list is rather short in relation to other projects. openSSL 1.0.2.x is supported until 31.12.2019 from what I read. Let's give Martin a chance to refactorize openSSL integration until this date.
On the other hand: If you all say this is no realistic option, there is always the option to do an "official" opensource fork where many people contribute and many people do testing. And, let's give it a new name. But the trend to have multiple forks where one person per fork contributes code, and some people do testing does not make much sense (for us).
Or did I miss some basic news? Due to the fact it's so silent here and we have no problems with hMailserver, I'm not very often in this forum (which is paid by Martin, isn't it?). So excuse if I'm possibly not up to date.
AND this annotation is not meant to lower the respect for the dedication and work of all contributors, supporters and testers. Please don't misunderstand my posting. Thank you to all of you!
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
@Prisma
Refactoring the code til it works nicely with hMailServer isnt a easy task.Right now it raises over
200 compilation errors while LibreSSL just works and is more security focused. Its up to Martin but if the refactoring work isnt completed end of next Year, we have a major security Problem.
IMHO: With LibreSSL we have a realistic and easy way out of this mess.
The next Problem will be Visual Studio 2013.
It allready entered the state of EOL and runs in extended maintenance mode and we are stuck right now with it because Visual Studio 2015 and 2017 cant compile hMailServer and raises dozens of build errors.This one will not be as easy to solve as the OpenSSL/LibreSSL replacement.
Refactoring the code til it works nicely with hMailServer isnt a easy task.Right now it raises over
200 compilation errors while LibreSSL just works and is more security focused. Its up to Martin but if the refactoring work isnt completed end of next Year, we have a major security Problem.
IMHO: With LibreSSL we have a realistic and easy way out of this mess.
The next Problem will be Visual Studio 2013.
It allready entered the state of EOL and runs in extended maintenance mode and we are stuck right now with it because Visual Studio 2015 and 2017 cant compile hMailServer and raises dozens of build errors.This one will not be as easy to solve as the OpenSSL/LibreSSL replacement.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
@dravion: the question is not whether your work is necessary or not. Of course it is, I think your analysis helps Martin to decide. If he runs better with libreSSL, here we go (or he should ). The basic question is more like: Is it realistic to wait for any kind of improvements in general? Especially regarding the EOL VS 2013 theme... What are Martins plans for the next years?
There are developers, supporters, testers and a lot of users, what else needs an open source project? Sad that all the knowledge and dedication isn't bundled into one agile improving project. In best case of course into the origin project. That's what I meant.
There are developers, supporters, testers and a lot of users, what else needs an open source project? Sad that all the knowledge and dedication isn't bundled into one agile improving project. In best case of course into the origin project. That's what I meant.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Thats right.But we need to know for example if LibreSSL can be used or if it throws any Errors. I informed Martin on Github about it and i think he will take a look into it.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
I disagree, I think it is a very big plus the guys at OpenSSL finally try to get some things right, sticking with LibreSSL means we are stucked with the spaghetti code OpenSSL is finally trying to get rid off
For the long term, stick with OpenSSL...it only can get better!
For the long term, stick with OpenSSL...it only can get better!
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Sorry, but i disagree.
OpenSSL has a terrible trackrecord regarding security. In fact its that bad that even Google decided to do its own fork after providing over 70 patches to get rid of the worst bugs.LibreSSL is developed and maintained by the OpenBSD Operating System Project Team, which is verry well known for its outstanding security trackrecord.The first thing the LibreSSL Project did was, to eliminate 90.000 Lines of dead or not longer needed code (for example things like Intel big endian 386, MS-DOS, Win 16-Bit, OS/2, VMS-Alpha, ect) without loosing any API/ABI comaptablilty.Regarding security features, the LibreSSL Team added allready verry valuable code quality improvements, as you can see in the list below:
A list about changes and improvements allready done by the LibreSSL Team
Memory related
-Buffer overflow protection (securing strlcpy, calloc, asprintf, reallocarray) calls in a safe and reliable way
-Crossplatform ASLR, NX bit and stack canaries Anti exploiting Compiler features are by default enabled
-Fixes for potential double free, including of explicit assignments of null pointer values
-Extra sanity checks (ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns)
Proactive measures
-Compiler options security Features are enabled by default (-Wall, -Werror, -Wextra, -Wuninitialized)
-LibreSSL is year 2038 compatible on all supported Platforms (Linux, Windows, MacOS, Linux, Unix + Multiple Compilers)
-In addition, explicit_bzero and bn_clear calls were added to prevent attackers from reading previously allocated memory
Cryptographie
-Changes for proper seeding of random number via replacements of insecure seeding practices
-Added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305)
-Adding of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength)
IMHO:
I think LibreSSL will add real value in terms of code quality and advanced security plus it doesnt forces us to change 1 line of code.We just need to change the Include and Library directory path in Visual Studio 2013 to get ready for build.
The Installer must changed (regardless if you use OpenSSL 1.1.x or LibreSSL because filenames of the DLL's had changed). In the Installer we just need to add libcrypto-1_1-x64.dll and libssl-1_1-x64 to receive a functioning hMailServer 5.6.8 Installer.
Hint: Its allready be done, you can test my proof of concept hMailServer 5.6.8 Installer with LibreSSL support
https://github.com/Dravion/hmailserver/ ... SL-x64.exe
References
Interview regarding why the OpenBSD forked LibreSSL
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
https://arstechnica.com/information-tec ... essl-fork/
LibreSSL by Ted Unangst at BSDCon
https://www.youtube.com/watch?v=WFMYeMNCcSY
LibreSSL, almost Two Years Later - Brent Cook
https://www.youtube.com/watch?v=Yg3iPoZzt2Q
However:
I will continue to provide 64-Bit hMailServer Editions with the latest OpenSSL 1.0.2.x maintenance release
(as long as possible) plus a Edition with the latest LibreSSL support.Iam ok with a OpenSSL 1.1.x version but someone
needs to do the necessary hMailServer codechanges to get things going, but as you allready know, my favorive is LibreSSL
OpenSSL has a terrible trackrecord regarding security. In fact its that bad that even Google decided to do its own fork after providing over 70 patches to get rid of the worst bugs.LibreSSL is developed and maintained by the OpenBSD Operating System Project Team, which is verry well known for its outstanding security trackrecord.The first thing the LibreSSL Project did was, to eliminate 90.000 Lines of dead or not longer needed code (for example things like Intel big endian 386, MS-DOS, Win 16-Bit, OS/2, VMS-Alpha, ect) without loosing any API/ABI comaptablilty.Regarding security features, the LibreSSL Team added allready verry valuable code quality improvements, as you can see in the list below:
A list about changes and improvements allready done by the LibreSSL Team
Memory related
-Buffer overflow protection (securing strlcpy, calloc, asprintf, reallocarray) calls in a safe and reliable way
-Crossplatform ASLR, NX bit and stack canaries Anti exploiting Compiler features are by default enabled
-Fixes for potential double free, including of explicit assignments of null pointer values
-Extra sanity checks (ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns)
Proactive measures
-Compiler options security Features are enabled by default (-Wall, -Werror, -Wextra, -Wuninitialized)
-LibreSSL is year 2038 compatible on all supported Platforms (Linux, Windows, MacOS, Linux, Unix + Multiple Compilers)
-In addition, explicit_bzero and bn_clear calls were added to prevent attackers from reading previously allocated memory
Cryptographie
-Changes for proper seeding of random number via replacements of insecure seeding practices
-Added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305)
-Adding of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength)
IMHO:
I think LibreSSL will add real value in terms of code quality and advanced security plus it doesnt forces us to change 1 line of code.We just need to change the Include and Library directory path in Visual Studio 2013 to get ready for build.
The Installer must changed (regardless if you use OpenSSL 1.1.x or LibreSSL because filenames of the DLL's had changed). In the Installer we just need to add libcrypto-1_1-x64.dll and libssl-1_1-x64 to receive a functioning hMailServer 5.6.8 Installer.
Hint: Its allready be done, you can test my proof of concept hMailServer 5.6.8 Installer with LibreSSL support
https://github.com/Dravion/hmailserver/ ... SL-x64.exe
References
Interview regarding why the OpenBSD forked LibreSSL
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
https://arstechnica.com/information-tec ... essl-fork/
LibreSSL by Ted Unangst at BSDCon
https://www.youtube.com/watch?v=WFMYeMNCcSY
LibreSSL, almost Two Years Later - Brent Cook
https://www.youtube.com/watch?v=Yg3iPoZzt2Q
However:
I will continue to provide 64-Bit hMailServer Editions with the latest OpenSSL 1.0.2.x maintenance release
(as long as possible) plus a Edition with the latest LibreSSL support.Iam ok with a OpenSSL 1.1.x version but someone
needs to do the necessary hMailServer codechanges to get things going, but as you allready know, my favorive is LibreSSL
-
- New user
- Posts: 11
- Joined: 2018-09-22 10:26
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
Your links are dead as you deleted your repo.
Re: LibreSSL built of hMailServer 5.6.8 avaiable (request for testing)
For latest Innosetup x64 (Classic Installer) (shared) build use this Link (it comes with latest OpenSSL Libs)
https://github.com/hMailServer-ComDevs/ ... r/releases
For hMailServer x64 with LibreSSL 2.8.1 (static) use this Installer, but keep in mind the new MSI Installer isnt ready yet for
Production.Its works, but it doesnt cover the 1:1 functions of the Classic installer right now fully.
https://github.com/hMailServer-ComDevs/builds/releases
Keep in mind the following issues
1) If your want to use the Internal DB, your need to Install MS-SQL-CE 4 yourself
2) Your need to invoke the DBSetup.exe manually from the C:\Program Files\hMailServer\bin\DBSetup.exe at the end of setup.
ps:
The Installer will check if .NET 4.x redost is installed or not (needed for Clienttools) and Cancels the Install if it cannot be found.
https://github.com/hMailServer-ComDevs/ ... r/releases
For hMailServer x64 with LibreSSL 2.8.1 (static) use this Installer, but keep in mind the new MSI Installer isnt ready yet for
Production.Its works, but it doesnt cover the 1:1 functions of the Classic installer right now fully.
https://github.com/hMailServer-ComDevs/builds/releases
Keep in mind the following issues
1) If your want to use the Internal DB, your need to Install MS-SQL-CE 4 yourself
2) Your need to invoke the DBSetup.exe manually from the C:\Program Files\hMailServer\bin\DBSetup.exe at the end of setup.
ps:
The Installer will check if .NET 4.x redost is installed or not (needed for Clienttools) and Cancels the Install if it cannot be found.