rejetto forum

HFS including SSl tools

SilentPliz · 262 · 122094

0 Members and 2 Guests are viewing this topic.

Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
US-cert:

NCCIC / US-CERT
National Cyber Awareness System:

FREAK SSL/TLS Vulnerability
03/06/2015 06:19 PM EST

Original release date: March 06, 2015
FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

Users and administrators are encouraged to review Vulnerability Note VU#243585 for more information and apply all necessary mitigations as vendors make them available. Users may visit freakattack.com to help determine whether their browsers are vulnerable. (Note: DHS does not endorse any private sector product or service. The last link is provided for informational purposes only.)
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
Thank you for the information.

OpenSSL versions before 1.0.1k are vulnerable:

http://www.kb.cert.org/vuls/id/BLUU-9UC2D8

The latest versions I posted online (292) are healthy ; The included versions of OpenSSL are more recent.

Apart from that , it is always recommended that users use a browser updated.
« Last Edit: March 10, 2015, 01:23:02 PM by SilentPliz »


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
12-03-2015     HFS 2.3d SSL 292f is online.

News:
Stunnel 5.11 final Compiled/running with OpenSSL 1.0.2
.
For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3d SSL #292f  :
http://silentpliz.perso.sfr.fr/hfs/hfs.292f.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3d_SSL_292f-src.zip

« Last Edit: March 20, 2015, 01:27:02 PM by SilentPliz »


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 712
  • Status: On hiatus (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
Talking about security and vulnerabilities, how about this?:

POODLE - An SSL 3.0 Vulnerability (CVE-2014-3566)

Code: [Select]
http://en.wikipedia.org/wiki/POODLE
https://www.us-cert.gov/ncas/alerts/TA14-290A
https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

I'm not on technical details about this (I'm not an expert at all about this!), but I was wondering if "HFS 2.3d SSL 292f" is using SSL v3.0 (which is vulnerable) or TLS (which is not vulnerable) by default?...

According to this vulnerability, we should disable (not necessarily remove) SSL, and use TLS by default. Is that possible?...
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Talking about security and vulnerabilities, how about this?:

POODLE - An SSL 3.0 Vulnerability (CVE-2014-3566)

According to this vulnerability, we should disable (not necessarily remove) SSL, and use TLS by default. Is that possible?...

Under the stunel config - Manualy edit the stunnel config, under options....
Thatis where you alow/change what protocal...

HFS PAth..\stunnel\stunnel.conf

edit with notepad ++ or notepad

look for disabled... Silent Plz has already done this...:
; Disable support for insecure SSLv2 protocol.
options = NO_SSLv2
; Disable support for insecure SSLv3 protocol.
options = NO_SSLv3
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 712
  • Status: On hiatus (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
look for disabled... Silent Plz has already done this...:
; Disable support for insecure SSLv2 protocol.
options = NO_SSLv2
; Disable support for insecure SSLv3 protocol.
options = NO_SSLv3
Nice find!, I didn't notice it. ;)
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline bmartino1

  • Tireless poster
  • ****
    • Posts: 901
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Info only!

new open ssl..version "m"?... unknown what version you are using... probably already patched.. but:
---------------
National Cyber Awareness System:

OpenSSL Patches Multiple Vulnerabilities
03/19/2015 12:50 PM EDT

Original release date: March 19, 2015
OpenSSL has released new updates addressing multiple vulnerabilities, one of which is classified as a high severity issue. Exploitation could allow a remote attacker to cause a cause a Denial of Service attack against the server.

Updates available include:

OpenSSL 1.0.2a for 1.0.2 users
OpenSSL 1.0.1m for 1.0.1 users
OpenSSL 1.0.0r for 1.0.0 users
OpenSSL 0.9.8zf for 0.9.8 users
Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

OpenSSL Security Advisory: http://openssl.org/news/secadv_20150319.txt
updates: http://www.openssl.org/news/
« Last Edit: March 19, 2015, 08:29:52 PM by bmartino1 »
Files i try to keep and share can be found on my google drive:

https://drive.google.com/drive/folders/1FOWi3Gqaldld6JLXvZ-biDv4RSguf0IC


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
20-03-2015     HFS 2.3d SSL 292g is online.

News:
-  Stable release
Stunnel 5.13 Compiled/running with OpenSSL 1.0.2a

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3d SSL #292g  :
http://silentpliz.perso.sfr.fr/hfs/hfs.292g.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3d_SSL_292g-src.zip
« Last Edit: March 25, 2015, 03:14:20 PM by SilentPliz »


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
26-03-2015     HFS 2.3e SSL 293a is online.

News:
-  Stable release
+ upload: multiple file selection
+ search accounts by typing the first letter
* using jquery's CDN instead of google's
- delete not working after archive http://www.rejetto.com/forum/bug-reports/2-3d-(292)-delete-after-archive-repeats-the-archive-download-again/
- getUri problem http://www.rejetto.com/forum/programmers-corner/last-beta-sources/msg1059938/#msg1059938
- a big MD5 file can hang http://www.rejetto.com/forum/bug-reports/hfs-hangs-on-access/

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293a  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293a.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293a-src.zip
« Last Edit: March 26, 2015, 04:07:17 PM by SilentPliz »


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
26-03-2015     HFS 2.3e SSL 293a is online.

News:
-  Stable release
+ upload: multiple file selection
+ search accounts by typing the first letter
* using jquery's CDN instead of google's
- delete not working after archive http://www.rejetto.com/forum/bug-reports/2-3d-(292)-delete-after-archive-repeats-the-archive-download-again/
- getUri problem http://www.rejetto.com/forum/programmers-corner/last-beta-sources/msg1059938/#msg1059938
- a big MD5 file can hang http://www.rejetto.com/forum/bug-reports/hfs-hangs-on-access/

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293a  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293a.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293a-src.zip


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
30-03-2015     HFS 2.3e SSL 293a is online.

News:
-  Stable release
Stunnel 5.14 Compiled/running with OpenSSL 1.0.2a-fips

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293a  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293a.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293a-src.zip


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
09-04-2015     HFS 2.3e SSL 293b is online.

News:
-  Stable release
Stunnel 5.14 Compiled/running with OpenSSL 1.0.2a-fips

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293b  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293b.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293b-src.zip


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
11-04-2015     HFS 2.3e SSL 293c is online.

News:
-  Stable release
-  button on "vfs tab" : explorer.exe

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293c  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293c.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293c-src.zip


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
17-04-2015     HFS 2.3e SSL 293d is online.

News:
-  Stable release
Stunnel 5.15 Compiled/running with OpenSSL 1.0.2a-fips

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293d  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293d.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293d-src.zip


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1297
  • ....... chut ! shh!
    • View Profile
20-04-2015     HFS 2.3e SSL 293e is online.

News:
-  Stable release
Stunnel 5.16 Compiled/running with OpenSSL 1.0.2a-fips

For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3e SSL #293e  :
http://silentpliz.perso.sfr.fr/hfs/hfs.293e.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3e_SSL_293e-src.zip