Community Discussions and Support
TLS 1.0 and TLS 1.1 discontinued

My mail provider has informed me that Pegasus is using TLS 1.0 or 1.1 when connecting via POP and SMTP. Those protocols will be discontinued in the next few weeks and it will cut Pegasus off any eMail exchange.
The minimum standard is TLS 2.0.


I can not find any setting in Pegasus where you could select the version of TLS. The only setting I can find is where you can select DirectSSL.


Any help or advice?
Thank you


My mail provider has informed me that Pegasus is using TLS 1.0 or 1.1 when connecting via POP and SMTP. Those protocols will be discontinued in the next few weeks and it will cut Pegasus off any eMail exchange. The minimum standard is TLS 2.0. I can not find any setting in Pegasus where you could select the version of TLS. The only setting I can find is where you can select DirectSSL. Any help or advice? Thank you

The minimum standard is TLS 2.0.

First of all there is no TLS 2.0, the most recent version is 1.3: https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development. Furthermore: Which version of Pegasus Mail do you use? Since v4.8.0 it incorporates OpenSSL 1.1.1 which supports all protocols including TLS 1.3: https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases. Here's the respective quote from Pegasus Mail's What's new? section (released in February 2022):



Significant new OpenSSL build This version includes OpenSSL 1.1.1k, which is the absolute current version at the time of release. Moving to OpenSSL 1.1.1 is an important long-term functionality update that will keep Pegasus Mail in step with connection security for a long time.



[quote="pid:55164, uid:38668"]The minimum standard is TLS 2.0.[/quote] First of all there is no TLS 2.0, the most recent version is 1.3: https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development. Furthermore: Which version of Pegasus Mail do you use? Since v4.8.0 it incorporates OpenSSL 1.1.1 which supports all protocols including TLS 1.3: https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases. Here's the respective quote from Pegasus Mail's _What's new?_ section (released in February 2022): > **Significant new OpenSSL build** This version includes OpenSSL 1.1.1k, which is the absolute current version at the time of release. Moving to OpenSSL 1.1.1 is an important long-term functionality update that will keep Pegasus Mail in step with connection security for a long time.
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C
edited Mar 16 '23 at 2:22 pm

Hi Michael,


Many thanks for the info, that's quite helpful.
I actually meant 1.2, the 2.0 was a typo.


It looks that I just have to update.
Thanks again!


Hi Michael, Many thanks for the info, that's quite helpful. I actually meant 1.2, the 2.0 was a typo. It looks that I just have to update. Thanks again!

Be advised of the following issues in v4.80:


  1. The v4.80 spell checker is broken for user added words. Those words are supposed to be stored in USRDICT5.PMD but that file gets emptied each time the spell checker is invoked. User saved words are lost after upgrading to 4.80 and running the spell check. Attempts to add words fail. The workaround is mark the USRDICT5.PMD file as read-only so that it can't be modified. If its content has already been deleted, restore an old USRDICT5.PMD file from backup and mark it read-only.

  2. Multiple issues with IERenderer that can be fixed with an update. You should do this as soon as possible. The current version is available here: https://www.pmpgp.de/renderer/IERenderer.zip


Be advised of the following issues in v4.80: 1. The v4.80 spell checker is broken for user added words. Those words are supposed to be stored in USRDICT5.PMD but that file gets emptied each time the spell checker is invoked. User saved words are lost after upgrading to 4.80 and running the spell check. Attempts to add words fail. The workaround is mark the USRDICT5.PMD file as read-only so that it can't be modified. If its content has already been deleted, restore an old USRDICT5.PMD file from backup and mark it read-only. 2. Multiple issues with IERenderer that can be fixed with an update. You should do this as soon as possible. The current version is available here: https://www.pmpgp.de/renderer/IERenderer.zip

Attn: Michael
Pmail implemented is Open SSL 1.1.1.
Since there is also OpenSSL 3.01(latest), can you shed a light on this. OpenSSL recommend this version to install together with V1.1.1. Is this an issue for Pmail?


Thank you


Attn: Michael Pmail implemented is Open SSL 1.1.1. Since there is also OpenSSL 3.01(latest), can you shed a light on this. OpenSSL recommend this version to install together with V1.1.1. Is this an issue for Pmail? Thank you

If you understand any of the Fips related section you would have the answer, I don't (except for being about certification).


If you understand any of the [Fips](https://en.wikipedia.org/wiki/OpenSSL#FIPS_140_validation) related section you would have the answer, I don't (except for being about certification).
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C
edited Mar 17 '23 at 3:11 pm

For Info. Don't know if it would make a difference.
Long ago, I had issues with an older version of Pegasus version of ssl.
I opted to try using stunnel to handle the connection.


stunnel -help
Initializing inetd mode configuration
stunnel 5.69 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 3.0.8 7 Feb 2023
ThreadingsmileTHREAD SocketssmileOLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI


Requires setting up an stunnel.conf to have pegasus use a local port that stunnel uses to connect to the ssl port, so Pegasus thinks it is a non-ssl port.


My stunnel.conf for my gmail and local isp connections.
[gmailpop]
client=yes
accept = 127.0.0.1:20995
connect = pop.gmail.com:995
debug = 3


[gmailsmtp]
client=yes
accept = 127.0.0.1:20465
connect = smtp.gmail.com:465
debug = 3


[gmailimap]
client=yes
accept = 127.0.0.1:20993
connect = imap.gmail.com:993
debug = 3


[guampop]
client=yes
accept = 127.0.0.1:20996
connect = mail.guam.net:995
debug = 3


[guamsmtp]
client=yes
accept = 127.0.0.1:20466
connect = smtp1.guam.net:465
debug = 3


The help shows Pegasus 4.80 upgraded to 1.1.1k.


Know there is windows versions of stunnel and it loads the openssl stuff (I believe)


I run Pegasus under Linux using wine, but should be same.
The versions I currently have are:
openssl1.1-1.1.1q-1.fc36.x86_64
openssl-libs-3.0.8-1.fc36.x86_64
openssl-3.0.8-1.fc36.x86_64
openssl-devel-3.0.8-1.fc36.x86_64
openssl-libs-3.0.8-1.fc36.i686


Pegasus use to have separate dll files that could be updated, but now believe they are included in build. So only new version of Pegasus can update them inside.


Don't know if that gives any information you can use. Good Luck.


For Info. Don't know if it would make a difference. Long ago, I had issues with an older version of Pegasus version of ssl. I opted to try using stunnel to handle the connection. stunnel -help Initializing inetd mode configuration stunnel 5.69 on x86_64-redhat-linux-gnu platform Compiled/running with OpenSSL 3.0.8 7 Feb 2023 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Requires setting up an stunnel.conf to have pegasus use a local port that stunnel uses to connect to the ssl port, so Pegasus thinks it is a non-ssl port. My stunnel.conf for my gmail and local isp connections. [gmailpop] client=yes accept = 127.0.0.1:20995 connect = pop.gmail.com:995 debug = 3 [gmailsmtp] client=yes accept = 127.0.0.1:20465 connect = smtp.gmail.com:465 debug = 3 [gmailimap] client=yes accept = 127.0.0.1:20993 connect = imap.gmail.com:993 debug = 3 [guampop] client=yes accept = 127.0.0.1:20996 connect = mail.guam.net:995 debug = 3 [guamsmtp] client=yes accept = 127.0.0.1:20466 connect = smtp1.guam.net:465 debug = 3 The help shows Pegasus 4.80 upgraded to 1.1.1k. Know there is windows versions of stunnel and it loads the openssl stuff (I believe) I run Pegasus under Linux using wine, but should be same. The versions I currently have are: openssl1.1-1.1.1q-1.fc36.x86_64 openssl-libs-3.0.8-1.fc36.x86_64 openssl-3.0.8-1.fc36.x86_64 openssl-devel-3.0.8-1.fc36.x86_64 openssl-libs-3.0.8-1.fc36.i686 Pegasus use to have separate dll files that could be updated, but now believe they are included in build. So only new version of Pegasus can update them inside. Don't know if that gives any information you can use. Good Luck.

mikes@guam.net

I think Pmail have to change anyhow, latest mid of the year, to the newer OpenSSL 3 Version due to EOS of 1.1.1.
And by the way we the version 1.1.1 is already with several security and bugfixes at version 1.1.1t smile


Note from Open-SSL-Website: "The previous LTS version (the 1.1.1 series) is also available and is supported until 11th September 2023"
https://www.openssl.org/


I think Pmail have to change anyhow, latest mid of the year, to the newer OpenSSL 3 Version due to EOS of 1.1.1. And by the way we the version 1.1.1 is already with several security and bugfixes at version 1.1.1t ;) Note from Open-SSL-Website: "The previous LTS version (the 1.1.1 series) is also available and is supported until 11th September 2023" https://www.openssl.org/

Pegasus v4.81 Beta

edited Mar 18 '23 at 8:14 am

I think Pmail have to change anyhow, latest mid of the year, to the newer OpenSSL 3 Version due to EOS of 1.1.1.

Before getting too concerned about what Pegasus Mail needs to do or not please take a look at the overall adoption of the current TLS versions on the Internet: Here's what the English Wikipedia reports as of May 2022 with TLS 1.3 being defined in August 2018: The most recent version was only implemented on 54.2% of the most popular (!) Websites. And on the German Wikipedia there's an additional note about the BSI (the topmost German Office for Information Security) still listing TLS 1.2 from 2008 as a recommended protocol (published in 2019, though).


IOW: As long as TLS 1.3 is covered and not "deprecated" there's no need to enforce another update especially since the OpenSSL 3 versions apparently just provide a special administrative US certification which doesn't mean there's a technical advancement in there as far as I understand this: It has to follow certain rules to achieve this, that seems to be its purpose.


[quote="pid:55174, uid:29380"]I think Pmail have to change anyhow, latest mid of the year, to the newer OpenSSL 3 Version due to EOS of 1.1.1.[/quote] Before getting too concerned about what Pegasus Mail needs to do or not please take a look at the overall adoption of the current TLS versions on the Internet: Here's what the [English Wikipedia](https://en.wikipedia.org/wiki/Transport_Layer_Security#Websites) reports as of May 2022 with TLS 1.3 being defined in August 2018: The most recent version was only implemented on 54.2% of the _most popular_ (!) Websites. And on the [German Wikipedia](https://de.wikipedia.org/wiki/Transport_Layer_Security#Versionen) there's an additional note about the BSI (the topmost German Office for Information Security) still listing TLS 1.2 from 2008 as a recommended protocol (published in 2019, though). IOW: As long as TLS 1.3 is covered and not "deprecated" there's no need to enforce another update especially since the OpenSSL 3 versions apparently just provide a special administrative US certification which doesn't mean there's a technical advancement in there as far as I understand this: It has to follow certain rules to achieve this, that seems to be its purpose.
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C

PMail v4.81b user
TU all for the extended info on OpenSSL/Pmail.


Another question: Should there not be a PMail 5.0 version or is pm virt dead and will v4.81b be sufficient for the future, xmt OpenSSL updates?


Greetings


PMail v4.81b user TU all for the extended info on OpenSSL/Pmail. Another question: Should there not be a PMail 5.0 version or is pm virt dead and will v4.81b be sufficient for the future, xmt OpenSSL updates? Greetings

I think that Pegasus only using a few functions out of OpenSSL and give not so much attack vectors to malware or hackers.


So I hope that Pegasus will not use those parts of OpenSSL which are affected by the latest vulnerabilities. And also will not be affected when the LTS version 1.1.1 is no longer maintained at all from October.


Just for info, the CVE for OpenSSL contain some critical ones that also affect v1.1.1k, that hopefully not impact Pegasus at all . smile
https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/year-2022/Openssl-Openssl.html


I think that Pegasus only using a few functions out of OpenSSL and give not so much attack vectors to malware or hackers. So I hope that Pegasus will not use those parts of OpenSSL which are affected by the latest vulnerabilities. And also will not be affected when the LTS version 1.1.1 is no longer maintained at all from October. Just for info, the CVE for OpenSSL contain some critical ones that also affect v1.1.1k, that hopefully not impact Pegasus at all . ;) https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/year-2022/Openssl-Openssl.html

Pegasus v4.81 Beta

the CVE for OpenSSL

WTF is creating this unreadable conglomeration of letters and numbers? Is this PITA supposed to be helpful in any kind for fixing issues as easy as possible instead of making people avoid reading it and leaving this page as fast as possible? I just don't get it ...


[quote="pid:55181, uid:29380"]the CVE for OpenSSL[/quote] WTF is creating this unreadable conglomeration of letters and numbers? Is this PITA supposed to be helpful in any kind for fixing issues as easy as possible instead of making people avoid reading it and leaving this page as fast as possible? I just don't get it ...
			Michael
--
IERenderer's Homepage
PGP Key ID (RSA 2048): 0xC45D831B
S/MIME Fingerprint: 94C6B471 0C623088 A5B27701 742B8666 3B7E657C
edited Mar 19 '23 at 3:24 pm

Michael in der Wiesche asked me to comment on this topic, so here's the situation.


  • V4.80 and v4.81 support OpenSSL v1.1.1, which has complete support for TLS 1.2 and 1.3. Since TLS 1.3 is not currently in widespread use, this should mean that things will remain valid for a period measured in years.

  • I am actively watching the development of OpenSSL v3.0 and once I'm sure it's frozen and stable (it's still undergoing active development), I'll begin switching the Pegasus Mail OpenSSL support code over to it. The current plan will be to offer two versions of the OpenSSL support, defaulting to v1.1.1 until it reaches EOL, but making v3.0-based builds available to anyone who would prefer to use them.

  • I have resisted updating to more recent versions of OpenSSL v1.1.1 until I was certain they were stable: version 1.1.1r (I think that was the version) was withdrawn with issues, and I've been waiting for the dust to settle down after that. I may look at including v1.1.1t support in the full release version of Pegasus Mail v4.81.

  • OpenSSL support in Pegasus Mail is modular, meaning that I can update it without having to update the whole program around it. This means that keeping OpenSSL support current is not a complicated process.


As another poster noted, Pegasus Mail uses only a fairly small subset of OpenSSL's capabilities, and none that are currently covered by vulnerability notifications (at least as far as I am aware). My own personal view is that SSL-based exploits will tend to be specialized by their very nature, and that they are not something most users need to be very concerned about.


I hope this covers peoples' questions on this topic.


-- David --


Michael in der Wiesche asked me to comment on this topic, so here's the situation. - V4.80 and v4.81 support OpenSSL v1.1.1, which has complete support for TLS 1.2 and 1.3. Since TLS 1.3 is not currently in widespread use, this should mean that things will remain valid for a period measured in years. - I am actively watching the development of OpenSSL v3.0 and once I'm sure it's frozen and stable (it's still undergoing active development), I'll begin switching the Pegasus Mail OpenSSL support code over to it. The current plan will be to offer two versions of the OpenSSL support, defaulting to v1.1.1 until it reaches EOL, but making v3.0-based builds available to anyone who would prefer to use them. - I have resisted updating to more recent versions of OpenSSL v1.1.1 until I was certain they were stable: version 1.1.1r (I think that was the version) was withdrawn with issues, and I've been waiting for the dust to settle down after that. I may look at including v1.1.1t support in the full release version of Pegasus Mail v4.81. - OpenSSL support in Pegasus Mail is modular, meaning that I can update it without having to update the whole program around it. This means that keeping OpenSSL support current is not a complicated process. As another poster noted, Pegasus Mail uses only a fairly small subset of OpenSSL's capabilities, and none that are currently covered by vulnerability notifications (at least as far as I am aware). My own personal view is that SSL-based exploits will tend to be specialized by their very nature, and that they are not something most users need to be very concerned about. I hope this covers peoples' questions on this topic. -- David --
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft