Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

Used version of OpenSSL

Last post 01-17-2018, 19:59 by Thomas Gohel. 15 replies.
Page 1 of 2 (16 items)   1 2 Next >
Sort Posts: Previous Next
  •  09-12-2015, 15:58

    • kwikzilver is not online. Last active: 01-16-2018, 23:31 kwikzilver
    • Top 500 Contributor
    • Joined on 05-23-2008
    • Amsterdam - The Netherlands
    • Member
    • Points 270

    Used version of OpenSSL

    Mercury32 v4.8 comes with OpenSSL v1.0.1l which is already an eight months old version (Jan 15 2015). Current version of the 1.0.1 branch is v1.0.1p (Jul 9 2015).
    Nowing that OpenSSL has been suffering from some nasty security bugs over the last months, how are we supposed to upgrade the OpenSSL implementation of Mercury32 4.8?
    Is this just a matter of replacing the SSL dlls libeay32.dll and ssleay32.dll with the latest versions?
    And would it not be better to use the 1.0.2 branch of OpenSSL (current version 1.0.2d)?
  •  09-12-2015, 16:15

    • Rolf Lindby is not online. Last active: 2018-07-20, 23:12 Rolf Lindby
    • Top 10 Contributor
    • Joined on 05-08-2007
    • Stockholm, Sweden
    • SuperStar
    • Points 25,835
    • BetaTeam Moderator SystemAdministrator

    Re: Used version of OpenSSL

    The choice of OpenSSL version was discussed during the release process, and David's comment was:

    Note that this release still uses OpenSSL v1.0.1l. I am in the process of building
    OpenSSL v1.0.1p and will make it separately available as an update; I am still
    unwilling to move to OpenSSL v1.0.2 until I am sure the compatibility issues it
    seems to have with major sites such as outlook.com are resolved one way or the
    other. On reading the release information for builds of OpenSSL later than the
    v1.0.1l build, I do not believe they involve any threats or vulnerabilities major
    enough to make it worth holding the v4.80 release any longer while we validate
    v1.0.1p.

     

  •  09-12-2015, 21:21

    • kwikzilver is not online. Last active: 01-16-2018, 23:31 kwikzilver
    • Top 500 Contributor
    • Joined on 05-23-2008
    • Amsterdam - The Netherlands
    • Member
    • Points 270

    Re: Used version of OpenSSL

    OK, thank you Rolf, that fully answers my question.
  •  02-18-2016, 17:50

    • beiley is not online. Last active: 09-10-2016, 18:38 beiley
    • Top 500 Contributor
    • Joined on 12-04-2007
    • Member
    • Points 195

    Re: Used version of OpenSSL

    Is this update David mentioned available somewhere?  I'd like to get a later version of OpenSSL to see if it fixes some SSL delivery issues I've seen:

     http://community.pmail.com/forums/thread/45424.aspx

    http://community.pmail.com/forums/thread/44865.aspx 

  •  12-26-2017, 11:12

    • kwikzilver is not online. Last active: 01-16-2018, 23:31 kwikzilver
    • Top 500 Contributor
    • Joined on 05-23-2008
    • Amsterdam - The Netherlands
    • Member
    • Points 270

    Re: Used version of OpenSSL

    Hi, sorry for coming back on this two years old post, but is there any news about upgrading (at least) OpenSSL to a more vulnerability-free version?
    This is the OpenSSL page about patched vulnerabilities:
    https://www.openssl.org/news/vulnerabilities.html
    It is clear that since version v1.0.1l many vulnerabilities have been patched in OpenSSL.

    I am using Mercury32 v4.80 (which is the current version), and this still comes with OpenSSL v1.0.1l.
    Version 1.0.1 of OpenSSL is out of support, so should not be used anymore. Current versions of OpenSSL are at the moment 1.0.2n and 1.1.0g.
    I cannot find any info on the Mercury websites about newer OpenSSL versions being used. Even the mentioned upgrade to version v1.0.1p has never been released?

    So again my original question: is it a good idea to upgrade OpenSSL myself in Mercury32? Has someone else experience in doing this?
    With some implementations of OpenSSL (like Stunnel) I have good experiences with manually upgrading just the main OpenSSL files, so I tried it myself with Mercury32 as well, and up to now it appears to be working.
    What I did was replacing the following files in the MERCURY folder with the same files from a more recent version of OpenSSL (v1.0.2m in this case).
    • openssl.exe
    • ssleay32.dll
    • libeay32.dll
    The SMTP server still accepts messages through TLS from my main e-mail counterparts, but I will keep a close eye on the server to ensure that everything still works.
    Any comments / suggestions on this?

  •  01-01-2018, 10:57

    • Sellerie is not online. Last active: 2018/06/25, 11:19 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 800

    Re: Used version of OpenSSL

    Cool, thanks for testing.
  •  01-01-2018, 12:08

    AW: Re: Used version of OpenSSL

    kwikzilver:
    Any comments / suggestions on this?

    Which matching VC version we need for the OpenSSL binaries? I think Mercury is compiled with VC11, right?

     

  •  01-07-2018, 19:55

    Re: Used version of OpenSSL

     Mercury works without any problems in the last 10 days with:

     

        OpenSSL 1.0.2n VC11 & VC14 builds

     

    I used the Apache/Win32 OpenSSL libraries (libeay32.dll, ssleay32.dll & openssl.exe) from the Apachelounge project (Apache/Win32 v2.4.29 VC11 and VC14 builds).

     

    Note: The current VC11 or VC14/15 redistributable must be installed (Mercury was compiled with VC9)

  •  01-08-2018, 14:05

    • Joerg is not online. Last active: 07-20-2018, 13:10 Joerg
    • Top 25 Contributor
    • Joined on 03-25-2008
    • German Baltic Sea Coast
    • Contributor
    • Points 6,080

    Re: Used version of OpenSSL

    Hi Thomas,

    Very interesting. Thanks for your effort. Unfortunately I'm not very skilled in encryption stuff. TLS of Mercury 4.8 works fine so far with German ISP provider mail accounts. And that's why I didn't care anymore about the SSL version etc. But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things.

    Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.

    Greetings

    Joerg

  •  01-08-2018, 17:46

    AW: Re: Used version of OpenSSL

    Joerg:
    But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things

     The OpenSSL version of the Apachelounge project is always up to date and works here for almost 2 weeks, including a valid LetsEncrypt certificate.

    Joerg:
    Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.

     I'm making it very easy now and just refer to the page of Apachelounge, I could not write the instructions better. Since I used the Apache as a web server, it was natural for me to use the OpenSSL files from Apache for Mercury too Smile

    The three OpenSSL files are located in the Apache\bin directory

     

    PS: Wo steht eigentlich Dein Leuchtturm ;-)

  •  01-09-2018, 16:09

    AW: Re: Used version of OpenSSL

    Hallo Jörg,

    Joerg:
    But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things


    The OpenSSL version of the Apachelounge project is always up to date and works here for almost 2 weeks, including a valid LetsEncrypt certificate.

    Joerg:
    Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.


    I'm making it very easy now and just refer to the page of Apachelounge (http://www.apachelounge.com/download/), I could not write the instructions better. Since I used the Apache as a web server, it was natural for me to use the OpenSSL files from Apache for Mercury too Smile

    The three OpenSSL files are located in the Apache\bin directory.

     

    PS; Wo steht Dein Leuchtturm? Smile

  •  01-09-2018, 17:12

    • Brian Fluet is not online. Last active: 07-20-2018, 20:08 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 20,950

    Re: AW: Re: Used version of OpenSSL

    In summary, as I understand it, the three files get extracted from the Apache/bin directory of the Apache 2.4.29 Win64 or Win32 downloaded zip file and Microsoft Visual C++ Redistributable for Visual Studio 2017 must be installed on the machine.  Sounds too easy.

    It's a little bit bothersome that my Mercury PC has Visual C++ 2005,2008,2010,2012,2013,& 2015 already installed on it.  Anyone know of a way to identify app dependencies so as to remove the unneeded ones?


  •  01-09-2018, 17:27

    AW: Re: AW: Re: Used version of OpenSSL

    Hello Brian,

     

    Brian Fluet:
    In summary, as I understand it, the three files get extracted from the Apache/bin directory of the Apache 2.4.29 Win64 or Win32 downloaded zip file and Microsoft Visual C++ Redistributable for Visual Studio 2017 must be installed on the machine.  Sounds too easy.

     Yes, that's really easy: Download the current Apache/Win32 version, install the relevant redistributable (VC 11 or VC14) and then simply replace the three OpenSSL files in Mercury.

     

     

    Brian Fluet:
    It's a little bit bothersome that my Mercury PC has Visual C++ 2005,2008,2010,2012,2013,& 2015 already installed on it.  Anyone know of a way to identify app dependencies so as to remove the unneeded ones?

    I think it's not worth the effort. MS Visual Studio is used by many programs (Apache, PHP, FileZilla, MySQL and more). On the other hand, the redistributables are relatively small relative to .Net and other frameworks.

     

  •  01-09-2018, 17:46

    • Joerg is not online. Last active: 07-20-2018, 13:10 Joerg
    • Top 25 Contributor
    • Joined on 03-25-2008
    • German Baltic Sea Coast
    • Contributor
    • Points 6,080

    Re: AW: Re: AW: Re: Used version of OpenSSL

    Hi Thomas,

    Now I understand. VC means Visual C++ Redistributional Package. Didn't see the tree in the forest.

     

    Der Leuchtturm ist nur ein Leuchtfeuer und steht auf dem oestlichen Molenkopf in Rostock Warnemuende.

    Gruss

    Joerg 

  •  01-16-2018, 23:27

    • kwikzilver is not online. Last active: 01-16-2018, 23:31 kwikzilver
    • Top 500 Contributor
    • Joined on 05-23-2008
    • Amsterdam - The Netherlands
    • Member
    • Points 270

    Re: AW: Re: AW: Re: Used version of OpenSSL

    Thanks for all the replies to this.


    My Mercury server is working OK now for four weeks with SSL, using the OpenSSL binaries version 1.0.2m that come with the win32 Stunnel installer version 5.44 (https://www.stunnel.org/downloads.html)
    I don't know how to check the used VC version for compiling Stunnel, but on my server (Windows 10 x64) there is only VC++ 2008 v9.0.30729.6161 re-distributable installed, so probably it is the same for Stunnel?

    But to be honest: I am not sure whether only replacing these three files is enough to ensure working with an up-to-date, security hardened OpenSSL implementation.
    Should the Mercury32 binaries themselves not also be updated to be working with the updated OpenSSL implementation?
    Hopefully someone closely involved with the Mercury development will react on this.

    Another concern: the login page of this forum (and in fact the whole pmail website including downloads page) is not yet secured through HTTPS.
    That is really bad nowadays, so that should really be solved.

Page 1 of 2 (16 items)   1 2 Next >
View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page