HFS including SSl tools

SilentPliz · **Reply #105 on:** November 25, 2013, 10:12:05 AM

November 25 2013

hfs 286a SSL FR is online.

Update from previous releases or use the links below:

http://silentpliz.perso.sfr.fr/hfs/HFS_286a_SSL_FR.exe

sources:

http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/Sources_hfs_286a_FR_SSL.zip

SilentPliz · **Reply #106 on:** November 29, 2013, 01:46:43 PM

November 29 2013

hfs 286b SSL FR is online.

Update from previous releases or use the links below:

http://silentpliz.perso.sfr.fr/hfs/HFS_286b_SSL_FR.exe

sources:

http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/Sources_hfs_286b_FR_SSL.zip

tailsheep · **Reply #107 on:** January 08, 2014, 04:37:20 PM

Excellent! Looks like a terrific project!!
Also thanks to rejetto!!

SilentPliz · **Reply #108 on:** April 28, 2014, 02:13:29 PM

Solved

IMPORTANT There is a security flaw with
Openssl 1.0.1 a to f.

Do not use SSL with releases posted here until removal of this message.

I leave it for info the following message, posted on another thread, this is an explanation and a possible workaround.

Sorry for the inconvenience.

Quote from: LeoNeeson on April 23, 2014, 04:32:31 AM

Savez-vous si "HFS 2.3 bêta 286b SSL FR" est affecté par "OpenSSL TLS Heartbleed bug"?.

(Plus d'infos, ici et ici)

Quote from: SilentPliz

Hélas oui! Le problème provient de Stunnel qui est compilé avec une version de OpenSSL qui "contient" la faille de sécurité.

Pour ce qui concerne HFS 2.3 bêta 286b SSL FR, la version de stunnel incluse est;

stunnel 4.56 on x86-pc-msvc-1500 platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013

Le problème est qu’actuellement je ne peut pas compiler une nouvelle "release" de HFS incluant la version 5 de Stunnel qui elle est exempte de ce bug. (j'ai mon PC et delphi à réinstaller).

Pour patienter, et si SSL vous est absolument nécessaire, vous pouvez utiliser la version 5 de stunnel.

- Vous gardez votre fichier de configuration stunnel.conf et vous remplacez les anciens fichiers par les nouveaux.

- Vous générez manuellement un nouveau certificat. N'utiliser pas les options (boutons) de création incluses dans HFS FR... elles ne feraient qu'extraire de l’exécutable l'ancienne version buggée de Stunnel.

Désolé du dérangement. $:-\$

HFS SSL FR ne posant pas de problème en fonctionnement NON SSL... je laisse les versions en ligne, et affiche un avertissement sur le forum concernant ce bug.

bmartino1 · **Reply #109 on:** May 01, 2014, 03:33:14 AM

instead of fixing the link, if you chose to do so, go here to download the patched version:
http://opendec.wordpress.com/tag/openssl/
downlaod: http://indy.fulgan.com/SSL/openssl-1.0.1g-i386-win32.zip

copy the 2 dll files and the openssl.exe file to the place where openssl is located and tada, you are no longer vulnerable...

silentplz this version of openssl doe not include fips mode thoses using fips mode with hfs will have to recreate you ssl certificates with the fips check box unchecked!

Running this version and fixed with the download link above!

i5c0r3 · **Reply #110 on:** May 15, 2014, 11:37:55 AM

Quote from: bmartino1 on May 01, 2014, 03:33:14 AM

instead of fixing the link, if you chose to do so, go here to download the patched version:
http://opendec.wordpress.com/tag/openssl/
downlaod: http://indy.fulgan.com/SSL/openssl-1.0.1g-i386-win32.zip

copy the 2 dll files and the openssl.exe file to the place where openssl is located and tada, you are no longer vulnerable...

silentplz this version of openssl doe not include fips mode thoses using fips mode with hfs will have to recreate you ssl certificates with the fips check box unchecked!

Running this version and fixed with the download link above!

This doesn't work. Those files get overwritten every time you run hfs. And making them read-only crashes stunnel. We'll just have to wait until SilentPliz releases a patched version.

bmartino1 · **Reply #111 on:** May 17, 2014, 09:22:00 PM

Quote from: i5c0r3 on May 15, 2014, 11:37:55 AM

This doesn't work. Those files get overwritten every time you run hfs. And making them read-only crashes stunnel. We'll just have to wait until SilentPliz releases a patched version.

(thank yluf or bring this to my attention...

Silent plz, after runing some new test with donwlaoding the "pathced" version, I have found that you progrmar defaults to using openssl-fips 1.0.1e(everytime you execute "hfs_ssl_etc...." please rebuild the source with the corrected version...

I will attept a fix when possible (via downlaoding the source hard to recompile on my end...), other wise see (which is fixed and working!):
http://www.rejetto.com/forum/hfs-~-http-file-server/stunnel-and-hfs-(securing-your-hfs)/

bmartino1 · **Reply #112 on:** May 17, 2014, 11:20:46 PM

As i have said before, i have issues compiling hfs source code, see picture (alli did was add/replace the openssl files int he resource folde (which is what the program ios diggin from to get the files...) "I have not touched his code!, but i have erros compiling hfs.dpr as found via his comand to compile it to hfs.exe ....

(would like to be able to comile it to use this source to add feature i want ie add mysql and php capabilities...)

bmartino1 · **Reply #113 on:** May 18, 2014, 01:03:55 AM

well, i got tired of trying to compile it, so i went the other direction... lolz

here is a link of a new downlaod, as brought on tformt he ida so the progam deosnt overwirte, these files need to be "read only:
>stunnel:
openssl.exe
libeasy32
ssleay32.dll
stunnel.exe
stunel.cfg (after you have a fixed working version!)- this one works...

http://oreilly.com/openbook/samba/book/figs/sam.0506.gif

http://oreilly.com/openbook/samba/book/ch05_03.html
http://en.wikipedia.org/wiki/File_attribute

-----
Downlaod link of a sucessfulky pathed working version, thanks agin for bring this to my attention i5c0r3
*by the way, stune crashes due to the compression of zlib aswell (which is why i think you had issues), so uses using the beta and needing the pathed, please compile your keys before downlaoding to copy them to the corect place... as fips and any form of compresion needs to be uncheced....
----

https://drive.google.com/file/d/0B9u5dgydfOEudkI1dkRpeWVzU0E/edit?usp=sharing

bmartino1 · **Reply #114 on:** May 20, 2014, 06:44:07 PM

Quote from: bmartino1 on May 17, 2014, 11:20:46 PM

As i have said before, i have issues compiling hfs source code, see picture (alli did was add/replace the openssl files int he resource folde (which is what the program ios diggin from to get the files...) "I have not touched his code!, but i have erros compiling hfs.dpr as found via his comand to compile it to hfs.exe ....

(would like to be able to comile it to use this source to add feature i want ie add mysql and php capabilities...)

after adding/chaning the needed files to add open ssl 1.0.1g (doens't suport fips nor zlib compression!)
went to compile it and recieved this error:
*see picture

SilentPliz · **Reply #115 on:** May 21, 2014, 09:57:12 AM

May 21 2014

hfs 286c SSL FR is online.

New:

- Stunnel 5.00b1
.
For users of a previous BUILD, update Stunnel with the "S" button

hfs 286c SSL FR is online.

Update from previous releases or use the links below:

http://silentpliz.perso.sfr.fr/hfs/HFS_286c_SSL_FR.exe

sources:

http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/Sources_hfs_286c_FR_SSL.zip

Replies to messages and other builds soon.

LeoNeeson · **Reply #116 on:** May 22, 2014, 05:15:05 AM

SilentPliz: Just a dumb question: this version (hfs 286c SSL FR - May 21 2014), is based on Rejetto's HFS v2.3 Build #286 or his latest stable v2.3a Build #289?

Thanks for the update...

bmartino1 · **Reply #117 on:** May 22, 2014, 05:25:27 PM

Quote from: SilentPliz on May 21, 2014, 09:57:12 AM

May 21 2014

hfs 286c SSL FR is online.

New:

- Stunnel 5.00b1
.
For users of a previous BUILD, update Stunnel with the "S" button

hfs 286c SSL FR is online.

Update from previous releases or use the links below:

http://silentpliz.perso.sfr.fr/hfs/HFS_286c_SSL_FR.exe

sources:

http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/Sources_hfs_286c_FR_SSL.zip

Replies to messages and other builds soon.

I believe it is attended, for your code base to do that but this beta version is using openssl 1.0.1e-fips just thought i post this to let usres know...
(This is fine as stunnel 5 has updated there program to fix openssl issue!)

Thank you again for programing this!

bmartino1 · **Reply #118 on:** May 22, 2014, 07:27:33 PM

Silentplz, if it is not too much toruble can i get some of the pascal files form you as shown in your soucre code

-------------line 52 main.pas----
// SilentPliz & 3rd part libs.
JvComponentBase, JvBitBtn, JvExButtons, JvAppAnimatedIcon, JvDesktopAlert, JvBaseDlg, JvGIF,
JvHint, StdActns, ActnList, XPStyleActnCtrls, ActnMan, InputQueryFrm_F, gnugettext;
------------------

As when i go to compile i'm stoped at "JvBitBtn" and i'm unable to find a downlaod for it nor its actual use in the code.

thank you

SilentPliz · **Reply #119 on:** May 26, 2014, 12:29:26 PM

Quote from: LeoNeeson on May 22, 2014, 05:15:05 AM

SilentPliz: Just a dumb question: this version (hfs 286c SSL FR - May 21 2014), is based on Rejetto's HFS v2.3 Build #286 or his latest stable v2.3a Build #289?
Thanks for the update...

Salut!

Oui, cette version est basée sur HFS v2.3 Build #286.
Je n'ai pas encore eu le temps de mettre en ligne les autres "releases".

Mais, les différences entre cette version et la "289" sont assez mineures et concernent surtout des fonctions très spécialisées (scripts) destinées à peu d'utilisateurs.

Au niveau de la stabilité, tu peux considérer cette bêta (286) comme stable.

HFS including SSl tools

SilentPliz

Re: For testing purpose (HFS beta including SSl tools)

SilentPliz

Re: For testing purpose (HFS beta including SSl tools)

tailsheep

Re: For testing purpose (HFS beta including SSl tools)

SilentPliz

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

i5c0r3

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

SilentPliz

Re: For testing purpose (HFS beta including SSl tools)

LeoNeeson

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

bmartino1

Re: For testing purpose (HFS beta including SSl tools)

SilentPliz

Re: For testing purpose (HFS beta including SSl tools)