OpenSSL

POP Peeper: Tech support, suggestions, discussion, etc.
Styx
Posts: 88
Joined: Wed Jul 02, 2008 9:19 pm

Re: OpenSSL

Post by Styx »

Been using SSL 1.0.0.4 for a couple of days with no issues.
Styx
Posts: 88
Joined: Wed Jul 02, 2008 9:19 pm

Re: OpenSSL

Post by Styx »

SSL 1.0.0.4 been working without issues for over a month.
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

That version gave me the same error today. It doesn't happen often, but when it does happen it crashes PP.
User avatar
JRF
Moderator
Posts: 4078
Joined: Sun Oct 20, 2002 3:41 am

Re: OpenSSL

Post by JRF »

[color=#4000FF]lwc[/color] wrote: That version gave me the same error today.
It doesn't happen often, but when it does happen it crashes PP.
Thank you , it may be more related to the IDLE function than to the SSL version .
It is now being investigated for a better processing in PP .
• (PP + IMAP + Send)=381 Web=3808 PPT=38 SSL=1005 Voice=3 Chime=3 Skin=36 PP-Add-on-Pack=3 • XPproSP3 • Fx=1301 Opera=1162 [IE=80] • Online-Armor=5501616 • CPU=1.2GHz • RAM=2.5GB •
Styx
Posts: 88
Joined: Wed Jul 02, 2008 9:19 pm

Re: OpenSSL

Post by Styx »

Jeff been using SSL 1.0.1.5 for a couple of months without issue.

Just a heads up.

Rob
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

OpenSSL was partially breached. Here's the official statement, but you can read about "heartbeat" in the news.

I'm happy to report the fixed (i.e. latest) version so far works fine with PP.
For those who want no dependencies on MS VC++ runtime, I'm talking about openssl-1.0.1g-i386-win32.zip
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: OpenSSL

Post by Jeff »

The OpenSSL security issue was also mentioned in another off-topic post, so in order to keep everything in one place, I've posted a new blog:
http://blog.mortaluniverse.com/?p=86
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: OpenSSL

Post by Jeff »

A new security exploit was discovered in all versions of OpenSSL and they released an update to fix the issue.

SSL v1.0.1.8 (v1.0.1h) is now available for POP Peeper:
http://www.poppeeper.com/Plugins/ssl.php

Information from OpenSSL about this latest vulnerability:
http://www.openssl.org/news/secadv_20140605.txt
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

I've started to successfully use 1.0.2d.
For those who want no dependencies on MS VC++ runtime, I'm talking about openssl-1.0.2d-i386-win32.zip
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

lwc wrote: Tue Feb 03, 2009 5:55 am
Jeff wrote: Mon Feb 02, 2009 5:40 pm The issue is actually with certain algorithms that have patents. I cannot say with any authority that these algorithms are more or less secure than the others. It's possible that they're not any more secure, or it's possible that they're lower in the priority, or it's even possible that the server doesn't use them either.
Nevertheless, your plugin's page casually claims they're less secure.
I've noticed your plugin's page has completely removed the statement about your built-in SSL plugin (which I believe is currently 1.0.2k from 2017 - I remember you once mentioned version texts) being less secure. May I ask what changed?

Meanwhile, I've been successfully using 1.0.2o.
If you want it, as it's not the latest but does work with no dependencies on MS VC++ runtime, then I'm talking about openssl-1.0.2o-i386-win32.zip
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: OpenSSL

Post by Jeff »

The policy hasn't changed: there are still certain algorithms that are not in the esumsoft SSL library. The text was probably removed for conciseness (that was a long time ago, and I don't always remember the reasons I do things).

There was *never* any statement that said PP's SSL library was less secure, that was just how you interpreted it. The exact text, according to archive.org on Jan 27, 2009:
For legal reasons, this distribution does not include certain Encryption Algorithms.
That was true at the time. I've done some research and apparently some (well, one) of the patents are no longer held. The configuration options I have been using are:
no-idea no-mdc2 no-rc5
This official page suggests that no-mdc2 and no-rc5 aren't necessary (or even exist; they may be opt-in only now, although I don't see any other compile flags that mention them). And this discussion (not official) suggests that the "idea" patent expired in 2012.
* So I will be removing these flags from future builds, and the SSL libraries that I distribute will be much closer to a default build



Meanwhile, I've been successfully using 1.0.2o.
1.0.2p has been available on esumsoft.com for some time:
https://www.esumsoft.com/products/pop-p ... ugins/#SSL
(download the zip file)


I remember you once mentioned version texts
I don't know what you mean by this?
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

Jeff wrote: Sat Nov 24, 2018 4:50 pm So I will be removing these flags from future builds, and the SSL libraries that I distribute will be much closer to a default build
Until then I don't see why not stating this officially.
1.0.2p has been available on esumsoft.com for some time:
But your webpage displays "v1.0.2.11" which stands for 1.0.2k, which takes us to:
I remember you once mentioned version texts
I don't know what you mean by this?
I meant in the past you wrote not just, for example, "v1.0.2.11", but also the version text, for example, ""v1.0.2.11 - 1.0.2k". In OpenSSL it's expected.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: OpenSSL

Post by Jeff »

Re: letter version (ie. 1.0.2k) -- PP likes numbers. It uses the numbers for the comparison to see if there's a newer version available. OpenSSL uses numbers in the build details. I don't know why they use letters... I wish they didn't? Probably easier for people to notice if there's an update or some psychological thing.

I don't really want to get into all the details of why things are done they are, but there are some changes in v5.0 which should improve the situation. Namely, the v5 installer eliminates one of the three sources of the SSL files, and it has an auto-update feature.
User avatar
Jeff
Admin / Developer
Posts: 9225
Joined: Sat Sep 08, 2001 9:46 pm

Re: OpenSSL

Post by Jeff »

OpenSSL 1.0.2.18 (1.0.2r) is now available for testing on the Plugins page -- via the zip format only (do not use the exe installation if you want this latest/experimental version).

Since myself and other testers are not using v4 (and, hence, not using SSL 1.0.x), this version has had very limited real-world testing, so please report back if you have any issues OR if you're satisfied that it's working as expected.
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

In that case, I've just started using it. I think it's the first time in over a decade I'm using PP's official SSL.

But is this indeed the "future build" you promised all these months ago?
Jeff wrote: Sat Nov 24, 2018 4:50 pm
For legal reasons, this distribution does not include certain Encryption Algorithms.
* So I will be removing these flags from future builds, and the SSL libraries that I distribute will be much closer to a default build
Last but not least:
Jeff wrote: Mon Nov 26, 2018 5:21 pm I don't know why they use letters... I wish they didn't?
Still, if they use letters and your website and program use numbers, then it's hard to compare.
Plus numbers or not, probably because it's just in the ZIP, the Help=>About shows something quite unusual:
Attachments
latest ssl.png
latest ssl.png (3.36 KiB) Viewed 7646 times
lwc
Posts: 518
Joined: Tue Sep 27, 2005 5:46 am

Re: OpenSSL

Post by lwc »

Never got a reply to my last message. But it's now almost a year later and various new versions came out already.
So after a one time exception in over a decade, I'm back to not using PP's official SSL.
For those who want no dependencies on MS VC++ runtime, I'm talking about openssl-1.0.2u-i386-win32.zip
Post Reply