Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code: Adding Constring param: TLS 1.2 Support for SQL Server #229

Closed
Dravion opened this issue Aug 7, 2017 · 12 comments
Closed

Code: Adding Constring param: TLS 1.2 Support for SQL Server #229

Dravion opened this issue Aug 7, 2017 · 12 comments

Comments

@Dravion
Copy link

Dravion commented Aug 7, 2017
edited
Loading

Hi Martin,
Is it possible to add the following TLS Connection security attribute to the MSSQL-Server (not CE) Connectionstring in ADOConnection.cpp Line 102 ?

From:
String sConnectionString = "Provider=" + sProvider + ";";
sConnectionString.append("Server=" + sServer + ";");
sConnectionString.append("Initial Catalog=" + sDatabase + ";");

To:
String sConnectionString = "Provider=" + sProvider + ";";
sConnectionString.append("Server=" + sServer + ";");
sConnectionString.append("Initial Catalog=" + sDatabase + ";");
sConnectionString.append("Trusted_Connection=yes;Encrypt=yes;";");

Or have at least a hMailServer.ini switch which enables/disables MSSQL TLS Connection
security?

Forum Discussion
@blandyuk
Copy link

Hi, I also need hMailServer to depreciate TLS v1.0 when connecting via MSSQL. As part of our server security, I need to disable TLS v1.0 and also v1.1 but cannot because hMailServer requires it. Please change it to use TLS v1.2. v1.0 is vulnerable and should not be used.

@Dravion
Copy link
Author

Dravion commented Nov 30, 2017

@blandyuk
I think the only Solution right now is to build hMailServer from source and modify the above Line yourself or ask RdVh (Rudd) for a alternative hMailServer.exe which may has this switch set.

@cblaze22
Copy link

cblaze22 commented May 21, 2018
edited
Loading

To be be PCI compliant, TLS 1.0 support needs to be disabled before June 30th of 2018. This feature should be added by now to accomodate this global change.

martinknafve added a commit that referenced this issue Jul 26, 2018
@martinknafve
Made the database provider to be used for SQL Server configurable. #229
3153f0f
@martinknafve
Copy link
Collaborator

The suggestion given on implementation here would not have the intended effect. The OLE DB Provider used by hMailServer does not support TLS 1.2, so simply stating that the connection should be encrypted won't work since the connection to a TLS 1.2 server will fail anyway.

I have added an ini-file-setting which lets you override the provider to be used. Specifically, the provider MSOLEDBSQL supports TLS 1.2, so by setting Provider=MSOLEDBSQL under Database section in hMailServer.ini, TLS 1.2 will be used. For this to work, the provider must also be installed on the machine. I believe the following installs it:

https://www.microsoft.com/en-us/download/details.aspx?id=56730

@Dravion
Copy link
Author

Dravion commented Jul 26, 2018

@martinknafve
Do you builded and uploaded a new version?
If you commit the changes in origin i will fork your repo and build a 64-Bit hMailServer setup as long
you dont provide a 64-Bit Installer.
https://github.com/Dravion/hmailserver/releases

@martinknafve
Copy link
Collaborator

I have created a new build but not made it available on download page. I scan new builds using virustotal.com and currently one 2 of the 64 scanners report it contains adware. I've submitted it to McAffee and Antiy as false positives. I'll create another new build later today and see if it's also classified as malware (it's pretty common that a few of the scanners report false positive but I don't want to put up stuff when it's being marked as containing malware because users may think it actually does).

@Dravion
Copy link
Author

Dravion commented Jul 27, 2018
edited
Loading

Yeah, true.
I didnt check with virustotal. The 7zip file contains all compiled binaries without the 64-Bit Innosetup, so you can check file by file to findout which makes McAffree go crazy

ps: I tested and wrote a 64-Bit Guide for MariaDB x64 , MSSQL x64 and Postgres 64-Bit in the Forum Tutorialsection.

MS-SQL Express 2017 - 64-Bit https://www.hmailserver.com/forum/viewtopic.php?f=21&t=32852
MS-SQL 2017 64-Bit (Linux) https://www.hmailserver.com/forum/viewtopic.php?f=10&t=31646
MariaDB 10.3 - 64-Bit https://www.hmailserver.com/forum/viewtopic.php?f=21&t=32869
PostgreSQL - 64-Bit https://www.hmailserver.com/forum/viewtopic.php?f=21&t=31638

Downgradetesting:
I tested how far down i can go regarding with hMailServer 5.6.7 64-Bit + MS-SQL CE 3.5 64-Bit and
thats the results: https://www.hmailserver.com/forum/viewtopic.php?f=8&t=32853

It can run on WinXP x64 SP2 + MS-SQL CE 3.5 64-Bit if MSSQL-CE 3.5 64-Bit was installed Standalone before the hMailServer Innosetup but will fail if someone is trying to install it als part of the hMailServer Innosetup.

@martinknafve
Copy link
Collaborator

martinknafve commented Jul 27, 2018
edited
Loading

McAffee seems to go crazy because InnoSetup is used. This is not the first time they happen. They spot a virus which uses InnoSetup and then manage to blacklist a lot of applications created using InnoSetup. It's a bit silly. Antiy-AVL complains over a trojan in a javascript which hasn't been updated since 2006. Since it's the only scanner mentioning it, I'm sure it's a false positive. I'll give them til tuseday to give feedback before I put up a new release for this.

I'll check the work you've done on 64bit.

@CharlesOkwuagwu
Copy link

Hi, Please is there a workaround for this:
[DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
while we wait for hMailServer version that supports TLS 1.2 on MS SQL

@thomas311
Copy link

Hi,
I appreciate all the hard work on hMail and we use it since quiet a while, but now pressure increases on us to switch off TLS 1.0 and TLS 1.1. Is there already a ready to install version we can use or is something very soon available?
Thank you for your kind feedback.

@Dravion Dravion closed this as completed Aug 3, 2019
@johannesboon
Copy link

As my SQL server is forced through domain policy to disable TLS 1.0 and 1.1 I was happy to find that this has been patched.

Although changing the configuration as suggested above as: Provider=MSOLEDBSQL gives me an error with this description: "Error when connecting to database. ADODB.Connection Provider cannot be found. It may not be properly installed. Check your database settings in hMailServer.ini."

It works great though with:

Provider=SQLNCLI11

( And currently running this release: https://github.com/Dravion/hmailserver/releases/tag/5.7.0-B2519 in case that matters, although I got the same error with hMailServer 5.6.8 - Build 2538 (BETA) when using MSOLEDBSQL as provider)

SQLNCLI11 was mentioned in the forum and
SQLNCLI11 is listed as available on my server with the PowerShell snippet from: https://stackoverflow.com/questions/37849262/how-to-get-a-list-of-installed-ole-db-providers

I hope this saves someone a bit of time and hair-pulling 😉

@blandyuk
Copy link

blandyuk commented Sep 7, 2021
edited
Loading

Yes, already have this working with the latest BETA 5.6.8 doing the below:

Edit: C:\Program Files (x86)\hMailServer\Bin\hMailServer.INI

Add/Update "Provider=SQLNCLI11" in the [Database] area if you use MSSQL.

Restart hMailServer, Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@martinknafve @cblaze22 @CharlesOkwuagwu @Dravion @johannesboon @blandyuk @thomas311