The Heartbleed OpenSSL Vulnerability and Mail Express

GlobalSCAPE 5
Mail Express


  • Mail Express v3.3 and later


The "Heartbleed Bug" (CVE-2014-0160) is a serious vulnerability in the popular OpenSSL cryptographic software library (v1.0.1 before 1.0.1g). This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The workarounds below also apply to another vulnerability, CVE-2014-0224, which “does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.”

Functionality Explanation:

Mail Express uses two secure communication implementations, OpenSSL and JSSE, depending on the communication path being used. The OpenSSL implementation in Mail Express uses v1.0.1c, which has been identified as a vulnerable version. Work is in progress for updating the OpenSSL library to eliminate this vulnerability. Until a patch is released, the workarounds below can be used to remediate the issue.


  • Use Globalscape® DMZ Gateway® in conjunction with Mail Express.
    • Mail Express uses a different SSL library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
  • Pass traffic through a Threat Management Gateway, such as Microsoft Forefront.
    • Only Microsoft Forefront has been tested and found to prevent the issue.  Results with other applications may vary depending on how they handle the SSL communication.
  • Convert all of your current Mail Express connectors in the server.xml file to use JSSE*.
    • Some systems may see minor performance degradation due to this change.
    • The “FIPS 140-2 approved protocol” setting will be unavailable when using this configuration.  Please contact Globalscape customer support to re-enable this.
    • You’ll want to match the ciphers and SSLEnabledProtocols attributes to your DMZ connectors.
    • You need to edit both the 8443 and the 443 connectors per the attached PDF.
    • Changing the SSL library in Mail Express also requires a change in how the SSL certificate is read by the Mail Express system.  If you have a custom SSL certificate installed, follow the steps in the attached PDF to manually update your keystore.
    • Refer to Tomcat documentation to configure the JSSE connector.
*Attached is a PDF of instructions for manually updating the keystore and editing the APR connectors (e.g., 443 and 8443) to use JSSE connectors. Globalscape Customer Support is available to assist you with reconfiguring your server.xml file, if needed.


Instructions for Heartbleed fix.pdf Instructions for Heartbleed fix.pdf (117.00 KB, 573 views)

Also In This Category

On a scale of 1-5, please rate the helpfulness of this article

Not Helpful
Very Helpful
Optionally provide your comments to help us improve this article...

Thank you for your feedback!

Add Your Comments
Comments require login or registration.
Last Modified: Last Year
Last Modified By: GlobalSCAPE 5
Type: FIX
Rated 1 star based on 8 votes.
Article has been viewed 5.4K times.
Find Similar
Customer Support Software By InstantKB 2015
Execution: 0.000. 9 queries. Compression Disabled.