| Description: <short summary of the patch> |
| TODO: Put a short summary on the line above and replace this paragraph |
| with a longer explanation of this change. Complete the meta-information |
| with other relevant fields (see below for details). To make it easier, the |
| information below has been extracted from the changelog. Adjust it or drop |
| it. |
| . |
| fetchmail (6.3.26-2) unstable; urgency=low |
| . |
| * New maintainer (closes: #800750). |
| * Backport upstream fix for SSLv3 removal (closes: #804604) and do not |
| recommend SSLv3 (closes: #801178). |
| * Remove quilt and its usage. |
| * Add dh-python to build depends. |
| * Update upstream URLs. |
| * Update watch file. |
| * Update Standards-Version to 3.9.6 . |
| Author: Laszlo Boszormenyi (GCS) <gcs@debian.org> |
| Bug-Debian: https://bugs.debian.org/800750 |
| Bug-Debian: https://bugs.debian.org/801178 |
| Bug-Debian: https://bugs.debian.org/804604 |
| |
| --- |
| The information above should follow the Patch Tagging Guidelines, please |
| checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here |
| are templates for supplementary fields that you might want to add: |
| |
| Origin: <vendor|upstream|other>, <url of original patch> |
| Bug: <url in upstream bugtracker> |
| Bug-Debian: https://bugs.debian.org/<bugnumber> |
| Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> |
| Forwarded: <no|not-needed|url proving that it has been forwarded> |
| Reviewed-By: <name and email of someone who approved the patch> |
| Last-Update: <YYYY-MM-DD> |
| |
| --- fetchmail-6.3.26.orig/Makefile.am |
| +++ fetchmail-6.3.26/Makefile.am |
| @@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 |
| servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ |
| - smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ |
| + smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ |
| xmalloc.h sdump.h sdump.c x509_name_match.c \ |
| fm_strl.h md5c.c |
| if NTLM_ENABLE |
| --- fetchmail-6.3.26.orig/Makefile.in |
| +++ fetchmail-6.3.26/Makefile.in |
| @@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas |
| rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ |
| - fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| + fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| x509_name_match.c fm_strl.h md5c.c ntlmsubr.c |
| @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) |
| am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ |
| rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ |
| servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ |
| smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ |
| - fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ |
| + fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ |
| sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ |
| $(am__objects_1) |
| libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) |
| @@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc |
| servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ |
| - fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| + fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| x509_name_match.c fm_strl.h md5c.c $(am__append_1) |
| libfm_a_LIBADD = $(EXTRAOBJ) |
| libfm_a_DEPENDENCIES = $(EXTRAOBJ) |
| --- fetchmail-6.3.26.orig/NEWS |
| +++ fetchmail-6.3.26/NEWS |
| @@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.) |
| * The --bsmtp - mode of operation may be removed in a future release. |
| * Given that OpenSSL is severely underdocumented, and needs license exceptions, |
| fetchmail may switch to a different SSL library. |
| -* SSLv2 support will be removed from a future fetchmail release. It has been |
| - obsolete for more than a decade. |
| |
| -------------------------------------------------------------------------------- |
| |
| --- fetchmail-6.3.26.orig/README.SSL |
| +++ fetchmail-6.3.26/README.SSL |
| @@ -11,36 +11,45 @@ specific to fetchmail. |
| In case of troubles, mail the README.SSL-SERVER file to your ISP and |
| have them check their server configuration against it. |
| |
| -Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether |
| -a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is |
| -totally SSL-wrapped on a separate port. For compatibility reasons, this cannot |
| -be fixed in a bugfix release. |
| +Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a |
| +service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) |
| +or is totally SSL-wrapped on a separate port. For compatibility |
| +reasons, this cannot be fixed in a bugfix or minor release. |
| + |
| +Also, fetchmail 6.4.0 and newer releases changed some of the semantics |
| +as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. |
| +If your server does not support this, you may have to specify --sslproto |
| +ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 |
| +and v3 are broken. |
| |
| - -- Matthias Andree, 2009-05-09 |
| + -- Matthias Andree, 2015-01-16 |
| |
| |
| Quickstart |
| ---------- |
| |
| +Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get |
| +TLSv1.2 support. |
| + |
| For use of SSL or TLS with in-band negotiation on the regular service's port, |
| i. e. with STLS or STARTTLS, use these command line options |
| |
| - --sslproto tls1 --sslcertck |
| + --sslproto auto --sslcertck |
| |
| or these options in the rcfile (after the respective "user"... options) |
| |
| - sslproto tls1 sslcertck |
| + sslproto auto sslcertck |
| |
| |
| For use of SSL or TLS on a separate port, if the whole TCP connection is |
| -SSL-encrypted from the very beginning, use these command line options (in the |
| -rcfile, omit all leading "--"): |
| +SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these |
| +command line options (in the rcfile, omit all leading "--"): |
| |
| - --ssl --sslproto ssl3 --sslcertck |
| + --ssl --sslproto auto --sslcertck |
| |
| or these options in the rcfile (after the respective "user"... options) |
| |
| - ssl sslproto ssl3 sslcertck |
| + ssl sslproto auto sslcertck |
| |
| |
| Background and use (long version :-)) |
| --- fetchmail-6.3.26.orig/config.h.in |
| +++ fetchmail-6.3.26/config.h.in |
| @@ -49,9 +49,9 @@ |
| don't. */ |
| #undef HAVE_DECL_H_ERRNO |
| |
| -/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0 |
| +/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 |
| if you don't. */ |
| -#undef HAVE_DECL_SSLV2_CLIENT_METHOD |
| +#undef HAVE_DECL_SSLV3_CLIENT_METHOD |
| |
| /* Define to 1 if you have the declaration of `strerror', and to 0 if you |
| don't. */ |
| --- fetchmail-6.3.26.orig/configure |
| +++ fetchmail-6.3.26/configure |
| @@ -1,13 +1,11 @@ |
| #! /bin/sh |
| # Guess values for system-dependent variables and create Makefiles. |
| -# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26. |
| +# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26. |
| # |
| # Report bugs to <fetchmail-users@lists.berlios.de>. |
| # |
| # |
| -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, |
| -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software |
| -# Foundation, Inc. |
| +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
| # |
| # |
| # This configure script is free software; the Free Software Foundation |
| @@ -136,6 +134,31 @@ export LANGUAGE |
| # CDPATH. |
| (unset CDPATH) >/dev/null 2>&1 && unset CDPATH |
| |
| +# Use a proper internal environment variable to ensure we don't fall |
| + # into an infinite loop, continuously re-executing ourselves. |
| + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then |
| + _as_can_reexec=no; export _as_can_reexec; |
| + # We cannot yet assume a decent shell, so we have to provide a |
| +# neutralization value for shells without unset; and this also |
| +# works around shells that cannot unset nonexistent variables. |
| +# Preserve -v and -x to the replacement shell. |
| +BASH_ENV=/dev/null |
| +ENV=/dev/null |
| +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| +case $- in # (((( |
| + *v*x* | *x*v* ) as_opts=-vx ;; |
| + *v* ) as_opts=-v ;; |
| + *x* ) as_opts=-x ;; |
| + * ) as_opts= ;; |
| +esac |
| +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} |
| +# Admittedly, this is quite paranoid, since all the known shells bail |
| +# out after a failed `exec'. |
| +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 |
| +as_fn_exit 255 |
| + fi |
| + # We don't want this to propagate to other subprocesses. |
| + { _as_can_reexec=; unset _as_can_reexec;} |
| if test "x$CONFIG_SHELL" = x; then |
| as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : |
| emulate sh |
| @@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test |
| else |
| exitcode=1; echo positional parameters were not saved. |
| fi |
| -test x\$exitcode = x0 || exit 1" |
| +test x\$exitcode = x0 || exit 1 |
| +test -x / || exit 1" |
| as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO |
| as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO |
| eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && |
| @@ -214,21 +238,25 @@ IFS=$as_save_IFS |
| |
| |
| if test "x$CONFIG_SHELL" != x; then : |
| - # We cannot yet assume a decent shell, so we have to provide a |
| - # neutralization value for shells without unset; and this also |
| - # works around shells that cannot unset nonexistent variables. |
| - # Preserve -v and -x to the replacement shell. |
| - BASH_ENV=/dev/null |
| - ENV=/dev/null |
| - (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| - export CONFIG_SHELL |
| - case $- in # (((( |
| - *v*x* | *x*v* ) as_opts=-vx ;; |
| - *v* ) as_opts=-v ;; |
| - *x* ) as_opts=-x ;; |
| - * ) as_opts= ;; |
| - esac |
| - exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} |
| + export CONFIG_SHELL |
| + # We cannot yet assume a decent shell, so we have to provide a |
| +# neutralization value for shells without unset; and this also |
| +# works around shells that cannot unset nonexistent variables. |
| +# Preserve -v and -x to the replacement shell. |
| +BASH_ENV=/dev/null |
| +ENV=/dev/null |
| +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| +case $- in # (((( |
| + *v*x* | *x*v* ) as_opts=-vx ;; |
| + *v* ) as_opts=-v ;; |
| + *x* ) as_opts=-x ;; |
| + * ) as_opts= ;; |
| +esac |
| +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} |
| +# Admittedly, this is quite paranoid, since all the known shells bail |
| +# out after a failed `exec'. |
| +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 |
| +exit 255 |
| fi |
| |
| if test x$as_have_required = xno; then : |
| @@ -331,6 +359,14 @@ $as_echo X"$as_dir" | |
| |
| |
| } # as_fn_mkdir_p |
| + |
| +# as_fn_executable_p FILE |
| +# ----------------------- |
| +# Test if FILE is an executable regular file. |
| +as_fn_executable_p () |
| +{ |
| + test -f "$1" && test -x "$1" |
| +} # as_fn_executable_p |
| # as_fn_append VAR VALUE |
| # ---------------------- |
| # Append the text in VALUE to the end of the definition contained in VAR. Take |
| @@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits |
| chmod +x "$as_me.lineno" || |
| { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } |
| |
| + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have |
| + # already done that, so ensure we don't try to do so again and fall |
| + # in an infinite loop. This has already happened in practice. |
| + _as_can_reexec=no; export _as_can_reexec |
| # Don't try to exec as it changes $[0], causing all sort of problems |
| # (the dirname of $[0] is not the place where we might find the |
| # original and so on. Autoconf is especially sensitive to this). |
| @@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then |
| # ... but there are two gotchas: |
| # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. |
| # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. |
| - # In both cases, we have to default to `cp -p'. |
| + # In both cases, we have to default to `cp -pR'. |
| ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| elif ln conf$$.file conf$$ 2>/dev/null; then |
| as_ln_s=ln |
| else |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| fi |
| else |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| fi |
| rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file |
| rmdir conf$$.dir 2>/dev/null |
| @@ -507,28 +547,8 @@ else |
| as_mkdir_p=false |
| fi |
| |
| -if test -x / >/dev/null 2>&1; then |
| - as_test_x='test -x' |
| -else |
| - if ls -dL / >/dev/null 2>&1; then |
| - as_ls_L_option=L |
| - else |
| - as_ls_L_option= |
| - fi |
| - as_test_x=' |
| - eval sh -c '\'' |
| - if test -d "$1"; then |
| - test -d "$1/."; |
| - else |
| - case $1 in #( |
| - -*)set "./$1";; |
| - esac; |
| - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( |
| - ???[sx]*):;;*)false;;esac;fi |
| - '\'' sh |
| - ' |
| -fi |
| -as_executable_p=$as_test_x |
| +as_test_x='test -x' |
| +as_executable_p=as_fn_executable_p |
| |
| # Sed expression to map a string onto a valid CPP name. |
| as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" |
| @@ -742,6 +762,7 @@ infodir |
| docdir |
| oldincludedir |
| includedir |
| +runstatedir |
| localstatedir |
| sharedstatedir |
| sysconfdir |
| @@ -841,6 +862,7 @@ datadir='${datarootdir}' |
| sysconfdir='${prefix}/etc' |
| sharedstatedir='${prefix}/com' |
| localstatedir='${prefix}/var' |
| +runstatedir='${localstatedir}/run' |
| includedir='${prefix}/include' |
| oldincludedir='/usr/include' |
| docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' |
| @@ -1093,6 +1115,15 @@ do |
| | -silent | --silent | --silen | --sile | --sil) |
| silent=yes ;; |
| |
| + -runstatedir | --runstatedir | --runstatedi | --runstated \ |
| + | --runstate | --runstat | --runsta | --runst | --runs \ |
| + | --run | --ru | --r) |
| + ac_prev=runstatedir ;; |
| + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ |
| + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ |
| + | --run=* | --ru=* | --r=*) |
| + runstatedir=$ac_optarg ;; |
| + |
| -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) |
| ac_prev=sbindir ;; |
| -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ |
| @@ -1230,7 +1261,7 @@ fi |
| for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ |
| datadir sysconfdir sharedstatedir localstatedir includedir \ |
| oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ |
| - libdir localedir mandir |
| + libdir localedir mandir runstatedir |
| do |
| eval ac_val=\$$ac_var |
| # Remove trailing slashes. |
| @@ -1258,8 +1289,6 @@ target=$target_alias |
| if test "x$host_alias" != x; then |
| if test "x$build_alias" = x; then |
| cross_compiling=maybe |
| - $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. |
| - If a cross compiler is detected then cross compile mode will be used" >&2 |
| elif test "x$build_alias" != "x$host_alias"; then |
| cross_compiling=yes |
| fi |
| @@ -1385,6 +1414,7 @@ Fine tuning of the installation director |
| --sysconfdir=DIR read-only single-machine data [PREFIX/etc] |
| --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] |
| --localstatedir=DIR modifiable single-machine data [PREFIX/var] |
| + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] |
| --libdir=DIR object code libraries [EPREFIX/lib] |
| --includedir=DIR C header files [PREFIX/include] |
| --oldincludedir=DIR C header files for non-gcc [/usr/include] |
| @@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat |
| if $ac_init_version; then |
| cat <<\_ACEOF |
| fetchmail configure 6.3.26 |
| -generated by GNU Autoconf 2.68 |
| +generated by GNU Autoconf 2.69 |
| |
| -Copyright (C) 2010 Free Software Foundation, Inc. |
| +Copyright (C) 2012 Free Software Foundation, Inc. |
| This configure script is free software; the Free Software Foundation |
| gives unlimited permission to copy, distribute and modify it. |
| _ACEOF |
| @@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5 |
| test ! -s conftest.err |
| } && test -s conftest$ac_exeext && { |
| test "$cross_compiling" = yes || |
| - $as_test_x conftest$ac_exeext |
| + test -x conftest$ac_exeext |
| }; then : |
| ac_retval=0 |
| else |
| @@ -2030,7 +2060,8 @@ int |
| main () |
| { |
| static int test_array [1 - 2 * !(($2) >= 0)]; |
| -test_array [0] = 0 |
| +test_array [0] = 0; |
| +return test_array [0]; |
| |
| ; |
| return 0; |
| @@ -2046,7 +2077,8 @@ int |
| main () |
| { |
| static int test_array [1 - 2 * !(($2) <= $ac_mid)]; |
| -test_array [0] = 0 |
| +test_array [0] = 0; |
| +return test_array [0]; |
| |
| ; |
| return 0; |
| @@ -2072,7 +2104,8 @@ int |
| main () |
| { |
| static int test_array [1 - 2 * !(($2) < 0)]; |
| -test_array [0] = 0 |
| +test_array [0] = 0; |
| +return test_array [0]; |
| |
| ; |
| return 0; |
| @@ -2088,7 +2121,8 @@ int |
| main () |
| { |
| static int test_array [1 - 2 * !(($2) >= $ac_mid)]; |
| -test_array [0] = 0 |
| +test_array [0] = 0; |
| +return test_array [0]; |
| |
| ; |
| return 0; |
| @@ -2122,7 +2156,8 @@ int |
| main () |
| { |
| static int test_array [1 - 2 * !(($2) <= $ac_mid)]; |
| -test_array [0] = 0 |
| +test_array [0] = 0; |
| +return test_array [0]; |
| |
| ; |
| return 0; |
| @@ -2195,7 +2230,7 @@ This file contains any messages produced |
| running configure, to aid debugging if configure makes a mistake. |
| |
| It was created by fetchmail $as_me 6.3.26, which was |
| -generated by GNU Autoconf 2.68. Invocation command line was |
| +generated by GNU Autoconf 2.69. Invocation command line was |
| |
| $ $0 $@ |
| |
| @@ -2689,7 +2724,7 @@ case $as_dir/ in #(( |
| # by default. |
| for ac_prog in ginstall scoinst install; do |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then |
| if test $ac_prog = install && |
| grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then |
| # AIX install. It has an incompatible calling convention. |
| @@ -2858,7 +2893,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_STRIP="${ac_tool_prefix}strip" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -2898,7 +2933,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_ac_ct_STRIP="strip" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -2949,7 +2984,7 @@ do |
| test -z "$as_dir" && as_dir=. |
| for ac_prog in mkdir gmkdir; do |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue |
| + as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue |
| case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( |
| 'mkdir (GNU coreutils) '* | \ |
| 'mkdir (coreutils) '* | \ |
| @@ -3002,7 +3037,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_AWK="$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3295,7 +3330,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3466,7 +3501,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_AWK="$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3512,7 +3547,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_CC="${ac_tool_prefix}gcc" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3552,7 +3587,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_ac_ct_CC="gcc" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3605,7 +3640,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_CC="${ac_tool_prefix}cc" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3646,7 +3681,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then |
| ac_prog_rejected=yes |
| continue |
| @@ -3704,7 +3739,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_CC="$ac_tool_prefix$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -3748,7 +3783,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_ac_ct_CC="$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ |
| /* end confdefs.h. */ |
| #include <stdarg.h> |
| #include <stdio.h> |
| -#include <sys/types.h> |
| -#include <sys/stat.h> |
| +struct stat; |
| /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ |
| struct buf { int x; }; |
| FILE * (*rcsopen) (struct buf *, struct stat *, int); |
| @@ -4751,7 +4785,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -4791,7 +4825,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_ac_ct_RANLIB="ranlib" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -4859,7 +4893,7 @@ do |
| for ac_prog in grep ggrep; do |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" |
| - { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue |
| + as_fn_executable_p "$ac_path_GREP" || continue |
| # Check for GNU ac_path_GREP and select it if it is found. |
| # Check for GNU $ac_path_GREP |
| case `"$ac_path_GREP" --version 2>&1` in |
| @@ -4925,7 +4959,7 @@ do |
| for ac_prog in egrep; do |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" |
| - { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue |
| + as_fn_executable_p "$ac_path_EGREP" || continue |
| # Check for GNU ac_path_EGREP and select it if it is found. |
| # Check for GNU $ac_path_EGREP |
| case `"$ac_path_EGREP" --version 2>&1` in |
| @@ -5132,8 +5166,8 @@ else |
| cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
| /* end confdefs.h. */ |
| |
| -# define __EXTENSIONS__ 1 |
| - $ac_includes_default |
| +# define __EXTENSIONS__ 1 |
| + $ac_includes_default |
| int |
| main () |
| { |
| @@ -5513,11 +5547,11 @@ else |
| int |
| main () |
| { |
| -/* FIXME: Include the comments suggested by Paul. */ |
| + |
| #ifndef __cplusplus |
| - /* Ultrix mips cc rejects this. */ |
| + /* Ultrix mips cc rejects this sort of thing. */ |
| typedef int charset[2]; |
| - const charset cs; |
| + const charset cs = { 0, 0 }; |
| /* SunOS 4.1.1 cc rejects this. */ |
| char const *const *pcpcc; |
| char **ppc; |
| @@ -5534,8 +5568,9 @@ main () |
| ++pcpcc; |
| ppc = (char**) pcpcc; |
| pcpcc = (char const *const *) ppc; |
| - { /* SCO 3.2v4 cc rejects this. */ |
| - char *t; |
| + { /* SCO 3.2v4 cc rejects this sort of thing. */ |
| + char tx; |
| + char *t = &tx; |
| char const *s = 0 ? (char *) 0 : (char const *) 0; |
| |
| *t++ = 0; |
| @@ -5551,10 +5586,10 @@ main () |
| iptr p = 0; |
| ++p; |
| } |
| - { /* AIX XL C 1.02.0.0 rejects this saying |
| + { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying |
| "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ |
| - struct s { int j; const int *ap[3]; }; |
| - struct s *b; b->j = 5; |
| + struct s { int j; const int *ap[3]; } bx; |
| + struct s *b = &bx; b->j = 5; |
| } |
| { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ |
| const int foo = 10; |
| @@ -5600,7 +5635,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_LEX="$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -5632,7 +5667,8 @@ a { ECHO; } |
| b { REJECT; } |
| c { yymore (); } |
| d { yyless (1); } |
| -e { yyless (input () != 0); } |
| +e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ |
| + yyless ((input () != 0)); } |
| f { unput (yytext[0]); } |
| . { BEGIN INITIAL; } |
| %% |
| @@ -5792,7 +5828,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_prog_YACC="$ac_prog" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -6044,7 +6080,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -8548,7 +8584,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -8590,7 +8626,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -8632,7 +8668,7 @@ do |
| IFS=$as_save_IFS |
| test -z "$as_dir" && as_dir=. |
| for ac_exec_ext in '' $ac_executable_extensions; do |
| - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext" |
| $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| break 2 |
| @@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r |
| fi |
| |
| case "$LIBS" in *-lssl*) |
| - ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h> |
| + ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h> |
| " |
| -if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then : |
| +if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : |
| ac_have_decl=1 |
| else |
| ac_have_decl=0 |
| fi |
| |
| cat >>confdefs.h <<_ACEOF |
| -#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl |
| +#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl |
| _ACEOF |
| |
| ;; |
| @@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then |
| # ... but there are two gotchas: |
| # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. |
| # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. |
| - # In both cases, we have to default to `cp -p'. |
| + # In both cases, we have to default to `cp -pR'. |
| ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| elif ln conf$$.file conf$$ 2>/dev/null; then |
| as_ln_s=ln |
| else |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| fi |
| else |
| - as_ln_s='cp -p' |
| + as_ln_s='cp -pR' |
| fi |
| rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file |
| rmdir conf$$.dir 2>/dev/null |
| @@ -11403,28 +11439,16 @@ else |
| as_mkdir_p=false |
| fi |
| |
| -if test -x / >/dev/null 2>&1; then |
| - as_test_x='test -x' |
| -else |
| - if ls -dL / >/dev/null 2>&1; then |
| - as_ls_L_option=L |
| - else |
| - as_ls_L_option= |
| - fi |
| - as_test_x=' |
| - eval sh -c '\'' |
| - if test -d "$1"; then |
| - test -d "$1/."; |
| - else |
| - case $1 in #( |
| - -*)set "./$1";; |
| - esac; |
| - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( |
| - ???[sx]*):;;*)false;;esac;fi |
| - '\'' sh |
| - ' |
| -fi |
| -as_executable_p=$as_test_x |
| + |
| +# as_fn_executable_p FILE |
| +# ----------------------- |
| +# Test if FILE is an executable regular file. |
| +as_fn_executable_p () |
| +{ |
| + test -f "$1" && test -x "$1" |
| +} # as_fn_executable_p |
| +as_test_x='test -x' |
| +as_executable_p=as_fn_executable_p |
| |
| # Sed expression to map a string onto a valid CPP name. |
| as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" |
| @@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri |
| # values after options handling. |
| ac_log=" |
| This file was extended by fetchmail $as_me 6.3.26, which was |
| -generated by GNU Autoconf 2.68. Invocation command line was |
| +generated by GNU Autoconf 2.69. Invocation command line was |
| |
| CONFIG_FILES = $CONFIG_FILES |
| CONFIG_HEADERS = $CONFIG_HEADERS |
| @@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ |
| ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
| ac_cs_version="\\ |
| fetchmail config.status 6.3.26 |
| -configured by $0, generated by GNU Autoconf 2.68, |
| +configured by $0, generated by GNU Autoconf 2.69, |
| with options \\"\$ac_cs_config\\" |
| |
| -Copyright (C) 2010 Free Software Foundation, Inc. |
| +Copyright (C) 2012 Free Software Foundation, Inc. |
| This config.status script is free software; the Free Software Foundation |
| gives unlimited permission to copy, distribute and modify it." |
| |
| @@ -11606,7 +11630,7 @@ fi |
| _ACEOF |
| cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
| if \$ac_cs_recheck; then |
| - set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion |
| + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion |
| shift |
| \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 |
| CONFIG_SHELL='$SHELL' |
| --- fetchmail-6.3.26.orig/configure.ac |
| +++ fetchmail-6.3.26/configure.ac |
| @@ -802,7 +802,7 @@ else |
| fi |
| |
| case "$LIBS" in *-lssl*) |
| - AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>]) |
| + AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>]) |
| ;; |
| esac |
| |
| --- fetchmail-6.3.26.orig/fetchmail-FAQ.html |
| +++ fetchmail-6.3.26/fetchmail-FAQ.html |
| @@ -667,8 +667,8 @@ because there is not currently a standar |
| also uses this method, so the two will interoperate happily. They |
| better, because this is how Craig gets his mail ;-)</p> |
| |
| -<p>Finally, you can use <a href="#K5">SSL</a> for complete |
| -end-to-end encryption if you have an SSL-enabled mailserver.</p> |
| +<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete |
| +end-to-end encryption if you have a TLS-enabled mailserver.</p> |
| |
| <h2><a id="G11" name="G11">G11. Is any special configuration needed |
| to use a dynamic IP address?</a></h2> |
| @@ -2120,7 +2120,7 @@ SSL?</a></h2> |
| |
| <p>You'll need to have the <a |
| href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they |
| -should at least be version 0.9.7. |
| +should at least be version 0.9.8, with 1.0.1 preferred. |
| Configure with --with-ssl. If you have the OpenSSL libraries |
| installed in commonly-used default locations, this will |
| suffice. If you have them installed in a non-default location, |
| @@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p> |
| <p>Fetchmail binaries built this way support <code>ssl</code>, |
| <code>sslkey</code>, and <code>sslcert</code> options that control |
| SSL encryption, and will automatically use <code>tls</code> if the |
| -server offers it. You will need to have an SSL-enabled mailserver to |
| +server offers it. You will need to have an SSL/TLS-enabled mailserver to |
| use these options. See the manual page for details and some words |
| of care on the limited security provided.</p> |
| |
| @@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s |
| protocol imap username MYUSERNAME password MYPASSWORD |
| </pre> |
| |
| -<p>You should note that SSL is only secure against a "man-in-the-middle" |
| -attack if the client is able to verify that the peer's public key is the |
| -correct one, and has not been substituted by an attacker. fetchmail can do |
| -this in one of two ways: by verifying the SSL certificate, or by checking |
| -the fingerprint of the peer's public key.</p> |
| +<p>You should note that SSL or TLS are only secure against a |
| +"man-in-the-middle" attack if the client is able to verify that the |
| +peer's public key is the correct one, and has not been substituted by an |
| +attacker. fetchmail can do this in one of two ways: by verifying the SSL |
| +certificate, or by checking the fingerprint of the peer's public |
| +key.</p> |
| |
| -<p>There are three parts to SSL certificate verification: checking that the |
| +<p>There are three parts to TLS certificate verification: checking that the |
| domain name in the certificate matches the hostname you asked to connect to; |
| checking that the certificate expiry date has not passed; and checking that |
| the certificate has been signed by a known Certificate Authority (CA). This |
| @@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati |
| time. This can however cause problems if the upstream didn't configure |
| his certificates properly.</p> |
| |
| -<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS) |
| -negotiation, add this option:</p> |
| +<p>In order to prevent fetchmail 6.4.0 and newer versions from trying |
| +STLS or STARTTLS negotiation, add this option:</p> |
| +<pre>sslproto ''</pre> |
| + |
| +<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS) |
| +negotiation where the above does not work, try this option:</p> |
| |
| <pre>sslproto ssl23</pre> |
| |
| @@ -2876,15 +2881,22 @@ need to say something like '<code>envelo |
| |
| <pre> |
| Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92]) |
| - by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088 |
| - for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700 |
| + by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088 |
| + for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700 |
| </pre> |
| |
| -<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your |
| -mailserver before accepting 'ksturgeon@fbceg.org' as an envelope |
| +<p>it checks to see if 'iserv.example.net' is a DNS alias of your |
| +mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope |
| address. This check might fail if your DNS were misconfigured, or |
| -if you were using 'no dns' and had failed to declare iserv.ttns.net |
| -as an alias of your server.</p> |
| +if you were using 'no dns' and had failed to declare iserv.example.net |
| +as an alias of your server. The typical hint is logging similar to: |
| +<code>line rejected, iserv.example.net is not an alias of the mailserver</code>, |
| +if you use fetchmail in verbose mode.</p> |
| + |
| +<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka |
| + <em>iserv.example.net</em></code> statements in the rcfile. Replace |
| +<em>iserv.example.net</em> by the name you find in <strong>your</strong> |
| +'by' part of the 'Received:' line.</p> |
| |
| <h2><a id="M8" name="M8">M8. Users are getting multiple copies of |
| messages.</a></h2> |
| @@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p> |
| <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my |
| messages.</a></h2> |
| |
| +<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p> |
| + |
| <p>Due to the problem described in <a href="#S2">S2</a>, the |
| IMAP support in fetchmail cannot follow the IMAP protocol 100 %. |
| Most of the time it doesn't matter, but if you combine it with an |
| @@ -3279,8 +3293,6 @@ it at the end of the message it forwards |
| on, you'll get a message about actual != expected.</li> |
| </ol> |
| |
| -<p>There is no fix for this.</p> |
| - |
| <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header |
| with Domino IMAP</a></h2> |
| |
| --- fetchmail-6.3.26.orig/fetchmail.c |
| +++ fetchmail-6.3.26/fetchmail.c |
| @@ -54,6 +54,10 @@ |
| #define ENETUNREACH 128 /* Interactive doesn't know this */ |
| #endif /* ENETUNREACH */ |
| |
| +#ifdef SSL_ENABLE |
| +#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ |
| +#endif |
| + |
| /* prototypes for internal functions */ |
| static int load_params(int, char **, int); |
| static void dump_params (struct runctl *runp, struct query *, flag implicit); |
| @@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) { |
| "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n" |
| " Robert M. Funk, Graham Wilson\n" |
| "Copyright (C) 2005 - 2012 Sunil Shetye\n" |
| - "Copyright (C) 2005 - 2013 Matthias Andree\n" |
| + "Copyright (C) 2005 - 2015 Matthias Andree\n" |
| )); |
| fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n" |
| "are welcome to redistribute it under certain conditions. For details,\n" |
| @@ -262,6 +266,9 @@ int main(int argc, char **argv) |
| #endif /* ODMR_ENABLE */ |
| #ifdef SSL_ENABLE |
| "+SSL" |
| +#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) |
| + "-SSLv3" |
| +#endif |
| #endif |
| #ifdef OPIE_ENABLE |
| "+OPIE" |
| --- fetchmail-6.3.26.orig/fetchmail.h |
| +++ fetchmail-6.3.26/fetchmail.h |
| @@ -771,9 +771,9 @@ int servport(const char *service); |
| int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); |
| void fm_freeaddrinfo(struct addrinfo *ai); |
| |
| -/* prototypes from tls.c */ |
| -int maybe_tls(struct query *ctl); |
| -int must_tls(struct query *ctl); |
| +/* prototypes from starttls.c */ |
| +int maybe_starttls(struct query *ctl); |
| +int must_starttls(struct query *ctl); |
| |
| /* prototype from rfc822valid.c */ |
| int rfc822_valid_msgid(const unsigned char *); |
| --- fetchmail-6.3.26.orig/fetchmail.man |
| +++ fetchmail-6.3.26/fetchmail.man |
| @@ -412,23 +412,22 @@ from. The folder information is written |
| .B \-\-ssl |
| (Keyword: ssl) |
| .br |
| -Causes the connection to the mail server to be encrypted |
| -via SSL. Connect to the server using the specified base protocol over a |
| -connection secured by SSL. This option defeats opportunistic starttls |
| -negotiation. It is highly recommended to use \-\-sslproto 'SSL3' |
| -\-\-sslcertck to validate the certificates presented by the server and |
| -defeat the obsolete SSLv2 negotiation. More information is available in |
| -the \fIREADME.SSL\fP file that ships with fetchmail. |
| -.IP |
| -Note that fetchmail may still try to negotiate SSL through starttls even |
| -if this option is omitted. You can use the \-\-sslproto option to defeat |
| -this behavior or tell fetchmail to negotiate a particular SSL protocol. |
| +Causes the connection to the mail server to be encrypted via SSL, by |
| +negotiating SSL directly after connecting (SSL-wrapped mode). It is |
| +highly recommended to use \-\-sslcertck to validate the certificates |
| +presented by the server. Please see the description of \-\-sslproto |
| +below! More information is available in the \fIREADME.SSL\fP file that |
| +ships with fetchmail. |
| +.IP |
| +Note that even if this option is omitted, fetchmail may still negotiate |
| +SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You |
| +can use the \-\-sslproto option to modify that behavior. |
| .IP |
| If no port is specified, the connection is attempted to the well known |
| port of the SSL version of the base protocol. This is generally a |
| different port than the port used by the base protocol. For IMAP, this |
| is port 143 for the clear protocol and port 993 for the SSL secured |
| -protocol, for POP3, it is port 110 for the clear text and port 995 for |
| +protocol; for POP3, it is port 110 for the clear text and port 995 for |
| the encrypted variant. |
| .IP |
| If your system lacks the corresponding entries from /etc/services, see |
| @@ -470,39 +469,73 @@ cause some complications in daemon mode. |
| .IP |
| Also see \-\-sslcert above. |
| .TP |
| -.B \-\-sslproto <name> |
| -(Keyword: sslproto) |
| +.B \-\-sslproto <value> |
| +(Keyword: sslproto, NOTE: semantic changes since v6.4.0) |
| .br |
| -Forces an SSL/TLS protocol. Possible values are \fB''\fP, |
| -\&'\fBSSL2\fP' (not supported on all systems), |
| -\&'\fBSSL23\fP', (use of these two values is discouraged |
| -and should only be used as a last resort) \&'\fBSSL3\fP', and |
| -\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for |
| -connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will |
| -opportunistically try STARTTLS negotiation with TLS1. You can configure |
| -this option explicitly if the default handshake (TLS1 if \-\-ssl is not |
| -used) does not work for your server. |
| -.IP |
| -Use this option with '\fBTLS1\fP' value to enforce a STARTTLS |
| -connection. In this mode, it is highly recommended to also use |
| -\-\-sslcertck (see below). Note that this will then cause fetchmail |
| -v6.3.19 to force STARTTLS negotiation even if it is not advertised by |
| -the server. |
| -.IP |
| -To defeat opportunistic TLSv1 negotiation when the server advertises |
| -STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This |
| -option, even if the argument is the empty string, will also suppress the |
| -diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose |
| -mode. The default is to try appropriate protocols depending on context. |
| +This option has a dual use, out of historic fetchmail behaviour. It |
| +controls both the SSL/TLS protocol version and, if \-\-ssl is not |
| +specified, the STARTTLS behaviour (upgrading the protocol to an SSL or |
| +TLS connection in-band). Some other options may however make TLS |
| +mandatory. |
| +.PP |
| +Only if this option and \-\-ssl are both missing for a poll, there will |
| +be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to |
| +upgrade to TLSv1 or newer. |
| +.PP |
| +Recognized values for \-\-sslproto are given below. You should normally |
| +chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of |
| +the options ending in a plus (\fB+\fP) character. Note that depending |
| +on OpenSSL library version and configuration, some options cause |
| +run-time errors because the requested SSL or TLS versions are not |
| +supported by the particular installed OpenSSL library. |
| +.RS |
| +.IP "\fB''\fP, the empty string" |
| +Disable STARTTLS. If \-\-ssl is given for the same server, log an error |
| +and pretend that '\fBauto\fP' had been used instead. |
| +.IP '\fBauto\fP' |
| +(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. |
| +(fetchmail 6.3.26 and older have auto-negotiated all protocols that |
| +their OpenSSL library supported, including the broken SSLv3). |
| +.IP "\&'\fBSSL23\fP' |
| +see '\fBauto\fP'. |
| +.IP \&'\fBSSL3\fP' |
| +Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it |
| +if possible. This will make fetchmail negotiate SSLv3 only, and is the |
| +only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3. |
| +.IP \&'\fBSSL3+\fP' |
| +same as '\fBauto\fP', but permit SSLv3 as well. This is the only way |
| +besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3. |
| +.IP \&'\fBTLS1\fP' |
| +Require TLSv1. This does not negotiate TLSv1.1 or newer, and is |
| +discouraged. Replace by TLS1+ unless the latter chokes your server. |
| +.IP \&'\fBTLS1+\fP' |
| +Since v6.4.0. See 'fBauto\fP'. |
| +.IP \&'\fBTLS1.1\fP' |
| +Since v6.4.0. Require TLS v1.1 exactly. |
| +.IP \&'\fBTLS1.1+\fP' |
| +Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer. |
| +.IP \&'\fBTLS1.2\fP' |
| +Since v6.4.0. Require TLS v1.2 exactly. |
| +.IP '\fBTLS1.2+\fP' |
| +Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer. |
| +.IP "Unrecognized parameters" |
| +are treated the same as '\fBauto\fP'. |
| +.RE |
| +.IP |
| +NOTE: you should hardly ever need to use anything other than '' (to |
| +force an unencrypted connection) or 'auto' (to enforce TLS). |
| .TP |
| .B \-\-sslcertck |
| (Keyword: sslcertck) |
| .br |
| -Causes fetchmail to strictly check the server certificate against a set of |
| -local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP |
| -options). If the server certificate cannot be obtained or is not signed by one |
| -of the trusted ones (directly or indirectly), the SSL connection will fail, |
| -regardless of the \fBsslfingerprint\fP option. |
| +Causes fetchmail to require that SSL/TLS be used and disconnect if it |
| +can not successfully negotiate SSL or TLS, or if it cannot successfully |
| +verify and validate the certificate and follow it to a trust anchor (or |
| +trusted root certificate). The trust anchors are given as a set of local |
| +trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP |
| +options). If the server certificate cannot be obtained or is not signed |
| +by one of the trusted ones (directly or indirectly), fetchmail will |
| +disconnect, regardless of the \fBsslfingerprint\fP option. |
| .IP |
| Note that CRL (certificate revocation lists) are only supported in |
| OpenSSL 0.9.7 and newer! Your system clock should also be reasonably |
| @@ -1202,31 +1235,33 @@ capability response. Specify a user opti |
| username and the part to the right as the NTLM domain. |
| |
| .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) |
| +.PP All retrieval protocols can use SSL or TLS wrapping for the |
| +transport. Additionally, POP3 and IMAP retrival can also negotiate |
| +SSL/TLS by means of STARTTLS (or STLS). |
| .PP |
| Note that fetchmail currently uses the OpenSSL library, which is |
| severely underdocumented, so failures may occur just because the |
| programmers are not aware of OpenSSL's requirement of the day. |
| For instance, since v6.3.16, fetchmail calls |
| OpenSSL_add_all_algorithms(), which is necessary to support certificates |
| -using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the |
| -documentation and not at all obvious. Please do not hesitate to report |
| -subtle SSL failures. |
| -.PP |
| -You can access SSL encrypted services by specifying the \-\-ssl option. |
| -You can also do this using the "ssl" user option in the .fetchmailrc |
| -file. With SSL encryption enabled, queries are initiated over a |
| -connection after negotiating an SSL session, and the connection fails if |
| -SSL cannot be negotiated. Some services, such as POP3 and IMAP, have |
| +using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in |
| +the documentation and not at all obvious. Please do not hesitate to |
| +report subtle SSL failures. |
| +.PP |
| +You can access SSL encrypted services by specifying the options starting |
| +with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. |
| +You can also do this using the corresponding user options in the .fetchmailrc |
| +file. Some services, such as POP3 and IMAP, have |
| different well known ports defined for the SSL encrypted services. The |
| encrypted ports will be selected automatically when SSL is enabled and |
| -no explicit port is specified. The \-\-sslproto 'SSL3' option should be |
| -used to select the SSLv3 protocol (default if unset: v2 or v3). Also, |
| -the \-\-sslcertck command line or sslcertck run control file option |
| -should be used to force strict certificate checking - see below. |
| +no explicit port is specified. Also, the \-\-sslcertck command line or |
| +sslcertck run control file option should be used to force strict |
| +certificate checking - see below. |
| .PP |
| If SSL is not configured, fetchmail will usually opportunistically try to use |
| -STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS |
| -connections use the same port as the unencrypted version of the |
| +STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and |
| +defeated by using \-\-sslproto\~''. |
| +TLS connections use the same port as the unencrypted version of the |
| protocol and negotiate TLS via special command. The \-\-sslcertck |
| command line or sslcertck run control file option should be used to |
| force strict certificate checking - see below. |
| --- fetchmail-6.3.26.orig/imap.c |
| +++ fetchmail-6.3.26/imap.c |
| @@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct |
| /* apply for connection authorization */ |
| { |
| int ok = 0; |
| + char *commonname; |
| + |
| (void)greeting; |
| |
| /* |
| @@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct |
| return(PS_SUCCESS); |
| } |
| |
| -#ifdef SSL_ENABLE |
| - if (maybe_tls(ctl)) { |
| - char *commonname; |
| - |
| - commonname = ctl->server.pollname; |
| - if (ctl->server.via) |
| - commonname = ctl->server.via; |
| - if (ctl->sslcommonname) |
| - commonname = ctl->sslcommonname; |
| + commonname = ctl->server.pollname; |
| + if (ctl->server.via) |
| + commonname = ctl->server.via; |
| + if (ctl->sslcommonname) |
| + commonname = ctl->sslcommonname; |
| |
| - if (strstr(capabilities, "STARTTLS") |
| - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| +#ifdef SSL_ENABLE |
| + if (maybe_starttls(ctl)) { |
| + if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) |
| + || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| { |
| - /* Use "tls1" rather than ctl->sslproto because tls1 is the only |
| - * protocol that will work with STARTTLS. Don't need to worry |
| - * whether TLS is mandatory or opportunistic unless SSLOpen() fails |
| - * (see below). */ |
| + /* Don't need to worry whether TLS is mandatory or |
| + * opportunistic unless SSLOpen() fails (see below). */ |
| if (gen_transact(sock, "STARTTLS") == PS_SUCCESS |
| - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, |
| + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, |
| ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, |
| ctl->server.pollname, &ctl->remotename)) != -1) |
| { |
| @@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct |
| { |
| report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); |
| } |
| - } else if (must_tls(ctl)) { |
| + } else if (must_starttls(ctl)) { |
| /* Config required TLS but we couldn't guarantee it, so we must |
| * stop. */ |
| set_timeout(0); |
| @@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct |
| /* Usable. Proceed with authenticating insecurely. */ |
| } |
| } |
| + } else { |
| + if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { |
| + report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); |
| + } |
| } |
| #endif /* SSL_ENABLE */ |
| |
| --- fetchmail-6.3.26.orig/po/Makevars |
| +++ fetchmail-6.3.26/po/Makevars |
| @@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis |
| # This is the list of locale categories, beyond LC_MESSAGES, for which the |
| # message catalogs shall be used. It is usually empty. |
| EXTRA_LOCALE_CATEGORIES = |
| + |
| +# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt' |
| +# context. Possible values are "yes" and "no". Set this to yes if the |
| +# package uses functions taking also a message context, like pgettext(), or |
| +# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument. |
| +USE_MSGCTXT = no |
| + |
| +# These options get passed to msgmerge. |
| +# Useful options are in particular: |
| +# --previous to keep previous msgids of translated messages, |
| +# --quiet to reduce the verbosity. |
| +MSGMERGE_OPTIONS = |
| --- fetchmail-6.3.26.orig/pop3.c |
| +++ fetchmail-6.3.26/pop3.c |
| @@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct |
| #endif /* OPIE_ENABLE */ |
| #ifdef SSL_ENABLE |
| flag connection_may_have_tls_errors = FALSE; |
| + char *commonname; |
| #endif /* SSL_ENABLE */ |
| |
| done_capa = FALSE; |
| @@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct |
| (ctl->server.authenticate == A_KERBEROS_V5) || |
| (ctl->server.authenticate == A_OTP) || |
| (ctl->server.authenticate == A_CRAM_MD5) || |
| - maybe_tls(ctl)) |
| + maybe_starttls(ctl)) |
| { |
| if ((ok = capa_probe(sock)) != PS_SUCCESS) |
| /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ |
| @@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct |
| (ok == PS_SOCKET && !ctl->wehaveauthed)) |
| { |
| #ifdef SSL_ENABLE |
| - if (must_tls(ctl)) { |
| + if (must_starttls(ctl)) { |
| /* fail with mandatory STLS without repoll */ |
| report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); |
| report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); |
| return ok; |
| - } else if (maybe_tls(ctl)) { |
| + } else if (maybe_starttls(ctl)) { |
| /* defeat opportunistic STLS */ |
| xfree(ctl->sslproto); |
| ctl->sslproto = xstrdup(""); |
| @@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct |
| } |
| |
| #ifdef SSL_ENABLE |
| - if (maybe_tls(ctl)) { |
| - char *commonname; |
| + commonname = ctl->server.pollname; |
| + if (ctl->server.via) |
| + commonname = ctl->server.via; |
| + if (ctl->sslcommonname) |
| + commonname = ctl->sslcommonname; |
| |
| - commonname = ctl->server.pollname; |
| - if (ctl->server.via) |
| - commonname = ctl->server.via; |
| - if (ctl->sslcommonname) |
| - commonname = ctl->sslcommonname; |
| - |
| - if (has_stls |
| - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| + if (maybe_starttls(ctl)) { |
| + if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| { |
| - /* Use "tls1" rather than ctl->sslproto because tls1 is the only |
| - * protocol that will work with STARTTLS. Don't need to worry |
| - * whether TLS is mandatory or opportunistic unless SSLOpen() fails |
| - * (see below). */ |
| + /* Don't need to worry whether TLS is mandatory or |
| + * opportunistic unless SSLOpen() fails (see below). */ |
| if (gen_transact(sock, "STLS") == PS_SUCCESS |
| - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, |
| + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, |
| ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, |
| ctl->server.pollname, &ctl->remotename)) != -1) |
| { |
| @@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct |
| { |
| report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); |
| } |
| - } else if (must_tls(ctl)) { |
| + } else if (must_starttls(ctl)) { |
| /* Config required TLS but we couldn't guarantee it, so we must |
| * stop. */ |
| set_timeout(0); |
| @@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct |
| } |
| } |
| } |
| - } /* maybe_tls() */ |
| + } else { /* maybe_starttls() */ |
| + if (has_stls && outlevel >= O_VERBOSE) { |
| + report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); |
| + } |
| + } /* maybe_starttls() */ |
| #endif /* SSL_ENABLE */ |
| |
| /* |
| --- fetchmail-6.3.26.orig/socket.c |
| +++ fetchmail-6.3.26/socket.c |
| @@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char |
| { |
| struct stat randstat; |
| int i; |
| + int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; |
| long sslopts = SSL_OP_ALL; |
| + int ssle_connect = 0; |
| |
| SSL_load_error_strings(); |
| SSL_library_init(); |
| @@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char |
| /* Make sure a connection referring to an older context is not left */ |
| _ssl_context[sock] = NULL; |
| if(myproto) { |
| - if(!strcasecmp("ssl2",myproto)) { |
| -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 |
| - _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); |
| + if(!strcasecmp("ssl3",myproto)) { |
| +#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) |
| + _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); |
| + avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; |
| #else |
| - report(stderr, GT_("Your operating system does not support SSLv2.\n")); |
| + report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); |
| return -1; |
| #endif |
| - } else if(!strcasecmp("ssl3",myproto)) { |
| - _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); |
| + } else if(!strcasecmp("ssl3+",myproto)) { |
| + avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; |
| + myproto = NULL; |
| } else if(!strcasecmp("tls1",myproto)) { |
| _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); |
| - } else if (!strcasecmp("ssl23",myproto)) { |
| + } else if(!strcasecmp("tls1+",myproto)) { |
| + myproto = NULL; |
| +#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION |
| + } else if(!strcasecmp("tls1.1",myproto)) { |
| + _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); |
| + } else if(!strcasecmp("tls1.1+",myproto)) { |
| + myproto = NULL; |
| + avoid_ssl_versions |= SSL_OP_NO_TLSv1; |
| +#else |
| + } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { |
| + report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); |
| + return -1; |
| +#endif |
| +#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION |
| + } else if(!strcasecmp("tls1.2",myproto)) { |
| + _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); |
| + } else if(!strcasecmp("tls1.2+",myproto)) { |
| + myproto = NULL; |
| + avoid_ssl_versions |= SSL_OP_NO_TLSv1; |
| + avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; |
| +#else |
| + } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { |
| + report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); |
| + return -1; |
| +#endif |
| + } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { |
| myproto = NULL; |
| } else { |
| - report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); |
| + report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); |
| myproto = NULL; |
| } |
| } |
| - if(!myproto) { |
| + // do not combine into an else { } as myproto may be nulled |
| + // above! |
| + if (!myproto) { |
| + // SSLv23 is a misnomer and will in fact use the best |
| + // available protocol, subject to SSL_OP_NO* |
| + // constraints. |
| _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); |
| } |
| if(_ctx[sock] == NULL) { |
| @@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char |
| sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
| } |
| |
| - SSL_CTX_set_options(_ctx[sock], sslopts); |
| + SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); |
| |
| if (certck) { |
| SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); |
| @@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char |
| } |
| |
| if (SSL_set_fd(_ssl_context[sock], sock) == 0 |
| - || SSL_connect(_ssl_context[sock]) < 1) { |
| + || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { |
| + int e = errno; |
| + unsigned long ssle_err_from_queue = ERR_peek_error(); |
| + unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect); |
| ERR_print_errors_fp(stderr); |
| + if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) { |
| + if (0 == ssle_connect) { |
| + report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n")); |
| + } else if (ssle_connect < 0) { |
| + report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e)); |
| + } |
| + } |
| SSL_free( _ssl_context[sock] ); |
| _ssl_context[sock] = NULL; |
| SSL_CTX_free(_ctx[sock]); |
| @@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char |
| return(-1); |
| } |
| |
| + if (outlevel >= O_VERBOSE) { |
| + SSL_CIPHER const *sc; |
| + int bitsmax, bitsused; |
| + |
| + const char *ver; |
| + |
| + ver = SSL_get_version(_ssl_context[sock]); |
| + |
| + sc = SSL_get_current_cipher(_ssl_context[sock]); |
| + if (!sc) { |
| + report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); |
| + } else { |
| + bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); |
| + report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), |
| + ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); |
| + } |
| + } |
| + |
| /* Paranoia: was the callback not called as we expected? */ |
| if (!_depth0ck) { |
| report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); |
| --- /dev/null |
| +++ fetchmail-6.3.26/starttls.c |
| @@ -0,0 +1,37 @@ |
| +/** \file tls.c - collect common TLS functionality |
| + * \author Matthias Andree |
| + * \date 2006 |
| + */ |
| + |
| +#include "fetchmail.h" |
| + |
| +#include <string.h> |
| + |
| +#ifdef HAVE_STRINGS_H |
| +#include <strings.h> |
| +#endif |
| + |
| +/** return true if user allowed opportunistic STARTTLS/STLS */ |
| +int maybe_starttls(struct query *ctl) { |
| +#ifdef SSL_ENABLE |
| + /* opportunistic or forced TLS */ |
| + return (!ctl->sslproto || strlen(ctl->sslproto)) |
| + && !ctl->use_ssl; |
| +#else |
| + (void)ctl; |
| + return 0; |
| +#endif |
| +} |
| + |
| +/** return true if user requires STARTTLS/STLS, note though that this |
| + * code must always use a logical AND with maybe_tls(). */ |
| +int must_starttls(struct query *ctl) { |
| +#ifdef SSL_ENABLE |
| + return maybe_starttls(ctl) |
| + && (ctl->sslfingerprint || ctl->sslcertck |
| + || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); |
| +#else |
| + (void)ctl; |
| + return 0; |
| +#endif |
| +} |