Hi, i will share you my Website, where you can Download the latest OpenSSL 1.0.2x for your Mercury. Many Binary Builders switching to OpenSSL 1.1.1x so its hard to find the old LTS Version. My Build is Compiled with standard options of Openssl and is full compatible exept of the HEARTBEATS option wich is disabled. Just Download the ZIP and copy the 3 Files inside the BIN Directory, to your Mercury Folder. You have to use the VC-32 Version.

https://www.bk-net.tk/?cat=15 < Normal Build

https://www.bk-net.tk/?p=1206 < Special Mercury Build (without sslv2, sslv3 and rc4) 

Mercury32 v4.8 comes with OpenSSL v1.0.1l which is already an eight months old version (Jan 15 2015). Current version of the 1.0.1 branch is v1.0.1p (Jul 9 2015).
Nowing that OpenSSL has been suffering from some nasty security bugs over the last months, how are we supposed to upgrade the OpenSSL implementation of Mercury32 4.8?
Is this just a matter of replacing the SSL dlls libeay32.dll and ssleay32.dll with the latest versions?
And would it not be better to use the 1.0.2 branch of OpenSSL (current version 1.0.2d)?

The choice of OpenSSL version was discussed during the release process, and David's comment was:

Note that this release still uses OpenSSL v1.0.1l. I am in the process of

building

OpenSSL v1.0.1p and will make it separately available as an update; I am

still

unwilling to move to OpenSSL v1.0.2 until I am sure the compatibility

issues it

seems to have with major sites such as outlook.com are resolved one way or

the

other. On reading the release information for builds of OpenSSL later than

the

v1.0.1l build, I do not believe they involve any threats or vulnerabilities

major

enough to make it worth holding the v4.80 release any longer while we

validate

v1.0.1p.

OK, thank you Rolf, that fully answers my question.

Is this update David mentioned available somewhere?  I'd like to get a later version of OpenSSL to see if it fixes some SSL delivery issues I've seen:

 http://community.pmail.com/forums/thread/45424.aspx

http://community.pmail.com/forums/thread/44865.aspx 

Hi, sorry for coming back on this two years old post, but is there any news about upgrading (at least) OpenSSL to a more vulnerability-free version?
This is the OpenSSL page about patched vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html
It is clear that since version v1.0.1l many vulnerabilities have been patched in OpenSSL.

I am using Mercury32 v4.80 (which is the current version), and this still comes with OpenSSL v1.0.1l.
Version 1.0.1 of OpenSSL is out of support, so should not be used anymore. Current versions of OpenSSL are at the moment 1.0.2n and 1.1.0g.
I cannot find any info on the Mercury websites about newer OpenSSL versions being used. Even the mentioned upgrade to version v1.0.1p has never been released?

So again my original question: is it a good idea to upgrade OpenSSL myself in Mercury32? Has someone else experience in doing this?
With some implementations of OpenSSL (like Stunnel) I have good experiences with manually upgrading just the main OpenSSL files, so I tried it myself with Mercury32 as well, and up to now it appears to be working.
What I did was replacing the following files in the MERCURY folder with the same files from a more recent version of OpenSSL (v1.0.2m in this case).

• openssl.exe
• ssleay32.dll
• libeay32.dll

Cool, thanks for testing.

[quote user="kwikzilver"]Any comments / suggestions on this?[/quote]

 Mercury works without any problems in the last 10 days with:

    OpenSSL 1.0.2n VC11 & VC14 builds

I used the Apache/Win32 OpenSSL libraries (libeay32.dll, ssleay32.dll & openssl.exe) from the Apachelounge project (Apache/Win32 v2.4.29 VC11 and VC14 builds).

Note: The current VC11 or VC14/15 redistributable must be installed (Mercury was compiled with VC9)

Hi Thomas,

Very interesting. Thanks for your effort. Unfortunately I'm not very skilled in encryption stuff. TLS of Mercury 4.8 works fine so far with German ISP provider mail accounts. And that's why I didn't care anymore about the SSL version etc. But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things.

Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.

Greetings

Joerg

[quote user="Joerg"]But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things[/quote]

 The OpenSSL

version of the Apachelounge project is always up to date and works here

for almost 2 weeks, including a valid LetsEncrypt certificate.

[quote user="Joerg"]Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.[/quote]

 I'm making it very easy now and just refer to the page of Apachelounge, I could not write the instructions better. Since I used the Apache as a web server, it was natural for me to use the OpenSSL files from Apache for Mercury too [:)]

The three OpenSSL files are located in the Apache\bin directory

PS: Wo steht eigentlich Dein Leuchtturm ;-)

Hallo Jörg,

[quote user="Joerg"]But nowadays, where another security bug appears nearly each week, I'm more and more interested in all security-improving things[/quote]

The OpenSSL version of the Apachelounge project is always up to date and works here for almost 2 weeks, including a valid LetsEncrypt certificate.

[quote user="Joerg"]Could you explain, what does it mean "VC11 or VC14/15 have to be installed firstly"? Our Mercury 4.80 is working on a Windows Server 2016 64 bit machine. What I have to do, beside replacing the two dlls and the openssl.exe? I didn't find any information about "VC" at the OpenSSL website.[/quote]

I'm making it very easy now and just refer to the page of Apachelounge (http://www.apachelounge.com/download/), I could not write the instructions better. Since I used the Apache as a web server, it was natural for me to use the OpenSSL files from Apache for Mercury too [:)]

The three OpenSSL files are located in the Apache\bin directory.

PS; Wo steht Dein Leuchtturm? [:)]

In summary, as I understand it, the three files get extracted from the Apache/bin directory of the Apache 2.4.29 Win64 or Win32 downloaded zip file and Microsoft Visual C++ Redistributable for Visual Studio 2017 must be installed on the machine.  Sounds too easy.

It's a little bit bothersome that my Mercury PC has Visual C++ 2005,2008,2010,2012,2013,& 2015 already installed on it.  Anyone know of a way to identify app dependencies so as to remove the unneeded ones?

Hello Brian,

 [quote user="Brian Fluet"]In summary, as I understand it, the three files get extracted from the Apache/bin directory of the Apache 2.4.29 Win64 or Win32 downloaded zip file and Microsoft Visual C++ Redistributable for Visual Studio 2017 must be installed on the machine.  Sounds too easy.[/quote]

 Yes, that's really easy: Download the

current Apache/Win32 version, install the relevant redistributable (VC

11 or VC14) and then simply replace the three OpenSSL files in Mercury.

 [quote user="Brian Fluet"]It's a little bit bothersome that my Mercury PC has Visual C++ 2005,2008,2010,2012,2013,& 2015 already installed on it.  Anyone know of a way to identify app dependencies so as to remove the unneeded ones?

[/quote]

I think it's not worth the effort. MS Visual Studio is used by many programs (Apache, PHP, FileZilla, MySQL and more). On the other hand, the redistributables are relatively small relative to .Net and other frameworks.

Hi Thomas,

Now I understand. VC means Visual C++ Redistributional Package. Didn't see the tree in the forest.

Der Leuchtturm ist nur ein Leuchtfeuer und steht auf dem oestlichen Molenkopf in Rostock Warnemuende.

Gruss

Joerg 

Thanks for all the replies to this.

My Mercury server is working OK now for four weeks with SSL, using the OpenSSL binaries version 1.0.2m that come with the win32 Stunnel installer version 5.44 (https://www.stunnel.org/downloads.html)
I don't know how to check the used VC version for compiling Stunnel, but on my server (Windows 10 x64) there is only VC++ 2008 v9.0.30729.6161 re-distributable installed, so probably it is the same for Stunnel?

But to be honest: I am not sure whether only replacing these three files is enough to ensure working with an up-to-date, security hardened OpenSSL implementation.
Should the Mercury32 binaries themselves not also be updated to be working with the updated OpenSSL implementation?
Hopefully someone closely involved with the Mercury development will react on this.

Another concern: the login page of this forum (and in fact the whole pmail website including downloads page) is not yet secured through HTTPS.
That is really bad nowadays, so that should really be solved.

[quote user="kwikzilver"]I don't know how to check the used VC version for compiling Stunnel[/quote]

The VC version is only important for installing the appropriate redistributables. But after the stunnel installation this should fit.

 
[quote user="kwikzilver"]But to be honest: I am not sure whether only replacing these three files is enough to ensure working with an up-to-date, security hardened OpenSSL implementation.
Should the Mercury32 binaries themselves not also be updated to be working with the updated OpenSSL implementation?[/quote]

After the

OpenSSL update remains a problem: It is not possible to disable SSLv3 or

specifically to enable TLS for some mail servers (Connection Control

Settings).

The complete shutdown of SSLv3

should lead to many connection problems, because there are still enough

broken mail servers in the world.