-
Notifications
You must be signed in to change notification settings - Fork 293
-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code: Adding Constring param: TLS 1.2 Support for SQL Server #229
Comments
Hi, I also need hMailServer to depreciate TLS v1.0 when connecting via MSSQL. As part of our server security, I need to disable TLS v1.0 and also v1.1 but cannot because hMailServer requires it. Please change it to use TLS v1.2. v1.0 is vulnerable and should not be used. |
@blandyuk |
To be be PCI compliant, TLS 1.0 support needs to be disabled before June 30th of 2018. This feature should be added by now to accomodate this global change. |
The suggestion given on implementation here would not have the intended effect. The OLE DB Provider used by hMailServer does not support TLS 1.2, so simply stating that the connection should be encrypted won't work since the connection to a TLS 1.2 server will fail anyway. I have added an ini-file-setting which lets you override the provider to be used. Specifically, the provider MSOLEDBSQL supports TLS 1.2, so by setting Provider=MSOLEDBSQL under Database section in hMailServer.ini, TLS 1.2 will be used. For this to work, the provider must also be installed on the machine. I believe the following installs it: https://www.microsoft.com/en-us/download/details.aspx?id=56730 |
@martinknafve |
I have created a new build but not made it available on download page. I scan new builds using virustotal.com and currently one 2 of the 64 scanners report it contains adware. I've submitted it to McAffee and Antiy as false positives. I'll create another new build later today and see if it's also classified as malware (it's pretty common that a few of the scanners report false positive but I don't want to put up stuff when it's being marked as containing malware because users may think it actually does). |
Yeah, true. ps: I tested and wrote a 64-Bit Guide for MariaDB x64 , MSSQL x64 and Postgres 64-Bit in the Forum Tutorialsection. MS-SQL Express 2017 - 64-Bit https://www.hmailserver.com/forum/viewtopic.php?f=21&t=32852 Downgradetesting: It can run on WinXP x64 SP2 + MS-SQL CE 3.5 64-Bit if MSSQL-CE 3.5 64-Bit was installed Standalone before the hMailServer Innosetup but will fail if someone is trying to install it als part of the hMailServer Innosetup. |
McAffee seems to go crazy because InnoSetup is used. This is not the first time they happen. They spot a virus which uses InnoSetup and then manage to blacklist a lot of applications created using InnoSetup. It's a bit silly. Antiy-AVL complains over a trojan in a javascript which hasn't been updated since 2006. Since it's the only scanner mentioning it, I'm sure it's a false positive. I'll give them til tuseday to give feedback before I put up a new release for this. I'll check the work you've done on 64bit. |
Hi, Please is there a workaround for this: |
Hi, |
As my SQL server is forced through domain policy to disable TLS 1.0 and 1.1 I was happy to find that this has been patched. Although changing the configuration as suggested above as: It works great though with:
( And currently running this release: https://github.com/Dravion/hmailserver/releases/tag/5.7.0-B2519 in case that matters, although I got the same error with hMailServer 5.6.8 - Build 2538 (BETA) when using MSOLEDBSQL as provider) SQLNCLI11 was mentioned in the forum and I hope this saves someone a bit of time and hair-pulling 😉 |
Yes, already have this working with the latest BETA 5.6.8 doing the below: Edit: C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI Add/Update "Provider=SQLNCLI11" in the [Database] area if you use MSSQL. Restart hMailServer, Done. |
Hi Martin,
Is it possible to add the following TLS Connection security attribute to the MSSQL-Server (not CE) Connectionstring in ADOConnection.cpp Line 102 ?
From:
String sConnectionString = "Provider=" + sProvider + ";";
sConnectionString.append("Server=" + sServer + ";");
sConnectionString.append("Initial Catalog=" + sDatabase + ";");
To:
String sConnectionString = "Provider=" + sProvider + ";";
sConnectionString.append("Server=" + sServer + ";");
sConnectionString.append("Initial Catalog=" + sDatabase + ";");
sConnectionString.append("Trusted_Connection=yes;Encrypt=yes;";");
Or have at least a hMailServer.ini switch which enables/disables MSSQL TLS Connection
security?
Forum Discussion
The text was updated successfully, but these errors were encountered: