OpenSSL 1.0.1h Fixes Serious Bug

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

OpenSSL 1.0.1h Fixes Serious Bug

Post by mpfrench » 2014-06-05 21:04

Need to integrate OpenSSL 1.0.1h ASAP.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 00:26

mpfrench wrote:Need to integrate OpenSSL 1.0.1h ASAP.
Thx will work on getting a new experimental posted ASAP. In the meantime you can always use the special build I posted with openssl dynamically linked if need be.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 01:05

Ok posted:
http://www.hmailserver.com/forum/viewto ... 10&t=21420

2014-06-05 5.4-B2014060501
* IMPORTANT: This build has a LOT of extra debug logging but NOT shown by default. [Settings]LogLevel=10 for some extra to 100 for extremely verbose
* URGENT: Critical OpenSSL MitM vulnerability http://www.pcworld.com/article/2360560/ ... pying.html
* Upated hmailserver to openssl-1.0.1h
* FIX: Added new 250 Help as always last EHLO response to fix 250-STARTTLS gmail issue (Last in list MUST be space not dash)
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mpfrench » 2014-06-06 01:54

Bill, your log date is off by a month.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 02:58

mpfrench wrote:Bill, your log date is off by a month.
are you sure? :D

Did you try it?
thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mpfrench » 2014-06-06 03:10

Somebody corrected the date. It is OK now.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 04:33

mpfrench wrote:Somebody corrected the date. It is OK now.
lol yes i did ;)
Soo.. Did you actually try the new build since you were the one who pointed out the bug? ;)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 07:55

So take it no one was excited that I posted up a new build so quickly? :(
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mpfrench » 2014-06-06 16:03

I just installed the new build and will let you know how it does after it runs a while.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 16:30

mpfrench wrote:I just installed the new build and will let you know how it does after it runs a while.
Thx. Guess it's a good sign if it actually runs as I didn't test it at all. :) But yeah was curious if it'd actually start, if SSL still worked and if the openssl bug was fixed.

People must not be as concerned with this as heartbleed as seems less of a sense of urgency from people.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mattg » 2014-06-06 16:37

This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.

Still very troubling though
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by prisma » 2014-06-06 16:46

THX Bill for your fast response. I'll test it too.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-06 18:18

mattg wrote:This one had been in the wild for 15 years, and relies on a Man-in-the-middle type attack.

Still very troubling though
Indeed been around a long time but once exposed all bets are off as it'll be hot spot for attacks now. I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol
prisma wrote:THX Bill for your fast response. I'll test it too.
Ok great thanks.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mattg » 2014-06-07 02:09

Bill48105 wrote:I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol
Yes indeed...

To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.

I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.

So sorry, I can't help test this at the moment...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-07 02:32

mattg wrote:
Bill48105 wrote:I mean it's a 15 year old bug turned into a zero day vulnerability now that it's publicized lol
Yes indeed...

To be honest I gave up on SSL after the heartbleed stuff.
I would have to pay to revoke the StartSSL certificates that I was using, and well, if I'm going to pay, I'll buy a certificate up front from a company with some real customer service, not just attitude.

I haven't done that yet, as SSL isn't a complete solution to security or privacy issues.

So sorry, I can't help test this at the moment...
indeed. all boils down to what you are trying to protect from who. if someone wants yer stuff bad enough they will get it. so I figure it's for casual protection. sadly many people assume it protects more than it does but that's not our problem. ;)
cheers
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by martin » 2014-06-08 12:55

For what it's worth, a new release is now up which includes OpenSSL 1.0.1h

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-09 17:21

martin wrote:For what it's worth, a new release is now up which includes OpenSSL 1.0.1h
ok thanks martin
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by mpfrench » 2014-06-13 14:14

Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: OpenSSL 1.0.1h Fixes Serious Bug

Post by Bill48105 » 2014-06-13 17:01

mpfrench wrote:Bill, I have been running your beta build for a week now without noticing any problems. I assume that this is equivalent to the latest production build that Martin released.
OK cool glad it's working. Actually the 2 builds are so out of sync these days in reality they are quite different. But you'd have to compare changelogs to see what changed in each & if they apply to you or not. For most people using either should be close enough to the same to not make a difference but for others it could be. Generally speaking though if things are working & you don't need feature that's in the other then stick with what you have. I use the experimental builds myself but then again they are my builds more suited for my needs too. ;)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Post Reply