Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | Description: <short summary of the patch> |
| 2 | TODO: Put a short summary on the line above and replace this paragraph |
| 3 | with a longer explanation of this change. Complete the meta-information |
| 4 | with other relevant fields (see below for details). To make it easier, the |
| 5 | information below has been extracted from the changelog. Adjust it or drop |
| 6 | it. |
| 7 | . |
| 8 | fetchmail (6.3.26-2) unstable; urgency=low |
| 9 | . |
| 10 | * New maintainer (closes: #800750). |
| 11 | * Backport upstream fix for SSLv3 removal (closes: #804604) and do not |
| 12 | recommend SSLv3 (closes: #801178). |
| 13 | * Remove quilt and its usage. |
| 14 | * Add dh-python to build depends. |
| 15 | * Update upstream URLs. |
| 16 | * Update watch file. |
| 17 | * Update Standards-Version to 3.9.6 . |
| 18 | Author: Laszlo Boszormenyi (GCS) <gcs@debian.org> |
| 19 | Bug-Debian: https://bugs.debian.org/800750 |
| 20 | Bug-Debian: https://bugs.debian.org/801178 |
| 21 | Bug-Debian: https://bugs.debian.org/804604 |
| 22 | |
| 23 | --- |
| 24 | The information above should follow the Patch Tagging Guidelines, please |
| 25 | checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here |
| 26 | are templates for supplementary fields that you might want to add: |
| 27 | |
| 28 | Origin: <vendor|upstream|other>, <url of original patch> |
| 29 | Bug: <url in upstream bugtracker> |
| 30 | Bug-Debian: https://bugs.debian.org/<bugnumber> |
| 31 | Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> |
| 32 | Forwarded: <no|not-needed|url proving that it has been forwarded> |
| 33 | Reviewed-By: <name and email of someone who approved the patch> |
| 34 | Last-Update: <YYYY-MM-DD> |
| 35 | |
| 36 | --- fetchmail-6.3.26.orig/Makefile.am |
| 37 | +++ fetchmail-6.3.26/Makefile.am |
| 38 | @@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 |
| 39 | servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| 40 | smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| 41 | libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ |
| 42 | - smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ |
| 43 | + smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ |
| 44 | xmalloc.h sdump.h sdump.c x509_name_match.c \ |
| 45 | fm_strl.h md5c.c |
| 46 | if NTLM_ENABLE |
| 47 | --- fetchmail-6.3.26.orig/Makefile.in |
| 48 | +++ fetchmail-6.3.26/Makefile.in |
| 49 | @@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas |
| 50 | rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| 51 | smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| 52 | libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ |
| 53 | - fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| 54 | + fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| 55 | x509_name_match.c fm_strl.h md5c.c ntlmsubr.c |
| 56 | @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) |
| 57 | am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ |
| 58 | rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ |
| 59 | servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ |
| 60 | smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ |
| 61 | - fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ |
| 62 | + fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ |
| 63 | sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ |
| 64 | $(am__objects_1) |
| 65 | libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) |
| 66 | @@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc |
| 67 | servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ |
| 68 | smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ |
| 69 | libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ |
| 70 | - fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| 71 | + fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ |
| 72 | x509_name_match.c fm_strl.h md5c.c $(am__append_1) |
| 73 | libfm_a_LIBADD = $(EXTRAOBJ) |
| 74 | libfm_a_DEPENDENCIES = $(EXTRAOBJ) |
| 75 | --- fetchmail-6.3.26.orig/NEWS |
| 76 | +++ fetchmail-6.3.26/NEWS |
| 77 | @@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.) |
| 78 | * The --bsmtp - mode of operation may be removed in a future release. |
| 79 | * Given that OpenSSL is severely underdocumented, and needs license exceptions, |
| 80 | fetchmail may switch to a different SSL library. |
| 81 | -* SSLv2 support will be removed from a future fetchmail release. It has been |
| 82 | - obsolete for more than a decade. |
| 83 | |
| 84 | -------------------------------------------------------------------------------- |
| 85 | |
| 86 | --- fetchmail-6.3.26.orig/README.SSL |
| 87 | +++ fetchmail-6.3.26/README.SSL |
| 88 | @@ -11,36 +11,45 @@ specific to fetchmail. |
| 89 | In case of troubles, mail the README.SSL-SERVER file to your ISP and |
| 90 | have them check their server configuration against it. |
| 91 | |
| 92 | -Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether |
| 93 | -a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is |
| 94 | -totally SSL-wrapped on a separate port. For compatibility reasons, this cannot |
| 95 | -be fixed in a bugfix release. |
| 96 | +Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a |
| 97 | +service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) |
| 98 | +or is totally SSL-wrapped on a separate port. For compatibility |
| 99 | +reasons, this cannot be fixed in a bugfix or minor release. |
| 100 | + |
| 101 | +Also, fetchmail 6.4.0 and newer releases changed some of the semantics |
| 102 | +as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. |
| 103 | +If your server does not support this, you may have to specify --sslproto |
| 104 | +ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 |
| 105 | +and v3 are broken. |
| 106 | |
| 107 | - -- Matthias Andree, 2009-05-09 |
| 108 | + -- Matthias Andree, 2015-01-16 |
| 109 | |
| 110 | |
| 111 | Quickstart |
| 112 | ---------- |
| 113 | |
| 114 | +Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get |
| 115 | +TLSv1.2 support. |
| 116 | + |
| 117 | For use of SSL or TLS with in-band negotiation on the regular service's port, |
| 118 | i. e. with STLS or STARTTLS, use these command line options |
| 119 | |
| 120 | - --sslproto tls1 --sslcertck |
| 121 | + --sslproto auto --sslcertck |
| 122 | |
| 123 | or these options in the rcfile (after the respective "user"... options) |
| 124 | |
| 125 | - sslproto tls1 sslcertck |
| 126 | + sslproto auto sslcertck |
| 127 | |
| 128 | |
| 129 | For use of SSL or TLS on a separate port, if the whole TCP connection is |
| 130 | -SSL-encrypted from the very beginning, use these command line options (in the |
| 131 | -rcfile, omit all leading "--"): |
| 132 | +SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these |
| 133 | +command line options (in the rcfile, omit all leading "--"): |
| 134 | |
| 135 | - --ssl --sslproto ssl3 --sslcertck |
| 136 | + --ssl --sslproto auto --sslcertck |
| 137 | |
| 138 | or these options in the rcfile (after the respective "user"... options) |
| 139 | |
| 140 | - ssl sslproto ssl3 sslcertck |
| 141 | + ssl sslproto auto sslcertck |
| 142 | |
| 143 | |
| 144 | Background and use (long version :-)) |
| 145 | --- fetchmail-6.3.26.orig/config.h.in |
| 146 | +++ fetchmail-6.3.26/config.h.in |
| 147 | @@ -49,9 +49,9 @@ |
| 148 | don't. */ |
| 149 | #undef HAVE_DECL_H_ERRNO |
| 150 | |
| 151 | -/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0 |
| 152 | +/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 |
| 153 | if you don't. */ |
| 154 | -#undef HAVE_DECL_SSLV2_CLIENT_METHOD |
| 155 | +#undef HAVE_DECL_SSLV3_CLIENT_METHOD |
| 156 | |
| 157 | /* Define to 1 if you have the declaration of `strerror', and to 0 if you |
| 158 | don't. */ |
| 159 | --- fetchmail-6.3.26.orig/configure |
| 160 | +++ fetchmail-6.3.26/configure |
| 161 | @@ -1,13 +1,11 @@ |
| 162 | #! /bin/sh |
| 163 | # Guess values for system-dependent variables and create Makefiles. |
| 164 | -# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26. |
| 165 | +# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26. |
| 166 | # |
| 167 | # Report bugs to <fetchmail-users@lists.berlios.de>. |
| 168 | # |
| 169 | # |
| 170 | -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, |
| 171 | -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software |
| 172 | -# Foundation, Inc. |
| 173 | +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. |
| 174 | # |
| 175 | # |
| 176 | # This configure script is free software; the Free Software Foundation |
| 177 | @@ -136,6 +134,31 @@ export LANGUAGE |
| 178 | # CDPATH. |
| 179 | (unset CDPATH) >/dev/null 2>&1 && unset CDPATH |
| 180 | |
| 181 | +# Use a proper internal environment variable to ensure we don't fall |
| 182 | + # into an infinite loop, continuously re-executing ourselves. |
| 183 | + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then |
| 184 | + _as_can_reexec=no; export _as_can_reexec; |
| 185 | + # We cannot yet assume a decent shell, so we have to provide a |
| 186 | +# neutralization value for shells without unset; and this also |
| 187 | +# works around shells that cannot unset nonexistent variables. |
| 188 | +# Preserve -v and -x to the replacement shell. |
| 189 | +BASH_ENV=/dev/null |
| 190 | +ENV=/dev/null |
| 191 | +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| 192 | +case $- in # (((( |
| 193 | + *v*x* | *x*v* ) as_opts=-vx ;; |
| 194 | + *v* ) as_opts=-v ;; |
| 195 | + *x* ) as_opts=-x ;; |
| 196 | + * ) as_opts= ;; |
| 197 | +esac |
| 198 | +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} |
| 199 | +# Admittedly, this is quite paranoid, since all the known shells bail |
| 200 | +# out after a failed `exec'. |
| 201 | +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 |
| 202 | +as_fn_exit 255 |
| 203 | + fi |
| 204 | + # We don't want this to propagate to other subprocesses. |
| 205 | + { _as_can_reexec=; unset _as_can_reexec;} |
| 206 | if test "x$CONFIG_SHELL" = x; then |
| 207 | as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : |
| 208 | emulate sh |
| 209 | @@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test |
| 210 | else |
| 211 | exitcode=1; echo positional parameters were not saved. |
| 212 | fi |
| 213 | -test x\$exitcode = x0 || exit 1" |
| 214 | +test x\$exitcode = x0 || exit 1 |
| 215 | +test -x / || exit 1" |
| 216 | as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO |
| 217 | as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO |
| 218 | eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && |
| 219 | @@ -214,21 +238,25 @@ IFS=$as_save_IFS |
| 220 | |
| 221 | |
| 222 | if test "x$CONFIG_SHELL" != x; then : |
| 223 | - # We cannot yet assume a decent shell, so we have to provide a |
| 224 | - # neutralization value for shells without unset; and this also |
| 225 | - # works around shells that cannot unset nonexistent variables. |
| 226 | - # Preserve -v and -x to the replacement shell. |
| 227 | - BASH_ENV=/dev/null |
| 228 | - ENV=/dev/null |
| 229 | - (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| 230 | - export CONFIG_SHELL |
| 231 | - case $- in # (((( |
| 232 | - *v*x* | *x*v* ) as_opts=-vx ;; |
| 233 | - *v* ) as_opts=-v ;; |
| 234 | - *x* ) as_opts=-x ;; |
| 235 | - * ) as_opts= ;; |
| 236 | - esac |
| 237 | - exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} |
| 238 | + export CONFIG_SHELL |
| 239 | + # We cannot yet assume a decent shell, so we have to provide a |
| 240 | +# neutralization value for shells without unset; and this also |
| 241 | +# works around shells that cannot unset nonexistent variables. |
| 242 | +# Preserve -v and -x to the replacement shell. |
| 243 | +BASH_ENV=/dev/null |
| 244 | +ENV=/dev/null |
| 245 | +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV |
| 246 | +case $- in # (((( |
| 247 | + *v*x* | *x*v* ) as_opts=-vx ;; |
| 248 | + *v* ) as_opts=-v ;; |
| 249 | + *x* ) as_opts=-x ;; |
| 250 | + * ) as_opts= ;; |
| 251 | +esac |
| 252 | +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} |
| 253 | +# Admittedly, this is quite paranoid, since all the known shells bail |
| 254 | +# out after a failed `exec'. |
| 255 | +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 |
| 256 | +exit 255 |
| 257 | fi |
| 258 | |
| 259 | if test x$as_have_required = xno; then : |
| 260 | @@ -331,6 +359,14 @@ $as_echo X"$as_dir" | |
| 261 | |
| 262 | |
| 263 | } # as_fn_mkdir_p |
| 264 | + |
| 265 | +# as_fn_executable_p FILE |
| 266 | +# ----------------------- |
| 267 | +# Test if FILE is an executable regular file. |
| 268 | +as_fn_executable_p () |
| 269 | +{ |
| 270 | + test -f "$1" && test -x "$1" |
| 271 | +} # as_fn_executable_p |
| 272 | # as_fn_append VAR VALUE |
| 273 | # ---------------------- |
| 274 | # Append the text in VALUE to the end of the definition contained in VAR. Take |
| 275 | @@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits |
| 276 | chmod +x "$as_me.lineno" || |
| 277 | { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } |
| 278 | |
| 279 | + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have |
| 280 | + # already done that, so ensure we don't try to do so again and fall |
| 281 | + # in an infinite loop. This has already happened in practice. |
| 282 | + _as_can_reexec=no; export _as_can_reexec |
| 283 | # Don't try to exec as it changes $[0], causing all sort of problems |
| 284 | # (the dirname of $[0] is not the place where we might find the |
| 285 | # original and so on. Autoconf is especially sensitive to this). |
| 286 | @@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then |
| 287 | # ... but there are two gotchas: |
| 288 | # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. |
| 289 | # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. |
| 290 | - # In both cases, we have to default to `cp -p'. |
| 291 | + # In both cases, we have to default to `cp -pR'. |
| 292 | ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || |
| 293 | - as_ln_s='cp -p' |
| 294 | + as_ln_s='cp -pR' |
| 295 | elif ln conf$$.file conf$$ 2>/dev/null; then |
| 296 | as_ln_s=ln |
| 297 | else |
| 298 | - as_ln_s='cp -p' |
| 299 | + as_ln_s='cp -pR' |
| 300 | fi |
| 301 | else |
| 302 | - as_ln_s='cp -p' |
| 303 | + as_ln_s='cp -pR' |
| 304 | fi |
| 305 | rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file |
| 306 | rmdir conf$$.dir 2>/dev/null |
| 307 | @@ -507,28 +547,8 @@ else |
| 308 | as_mkdir_p=false |
| 309 | fi |
| 310 | |
| 311 | -if test -x / >/dev/null 2>&1; then |
| 312 | - as_test_x='test -x' |
| 313 | -else |
| 314 | - if ls -dL / >/dev/null 2>&1; then |
| 315 | - as_ls_L_option=L |
| 316 | - else |
| 317 | - as_ls_L_option= |
| 318 | - fi |
| 319 | - as_test_x=' |
| 320 | - eval sh -c '\'' |
| 321 | - if test -d "$1"; then |
| 322 | - test -d "$1/."; |
| 323 | - else |
| 324 | - case $1 in #( |
| 325 | - -*)set "./$1";; |
| 326 | - esac; |
| 327 | - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( |
| 328 | - ???[sx]*):;;*)false;;esac;fi |
| 329 | - '\'' sh |
| 330 | - ' |
| 331 | -fi |
| 332 | -as_executable_p=$as_test_x |
| 333 | +as_test_x='test -x' |
| 334 | +as_executable_p=as_fn_executable_p |
| 335 | |
| 336 | # Sed expression to map a string onto a valid CPP name. |
| 337 | as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" |
| 338 | @@ -742,6 +762,7 @@ infodir |
| 339 | docdir |
| 340 | oldincludedir |
| 341 | includedir |
| 342 | +runstatedir |
| 343 | localstatedir |
| 344 | sharedstatedir |
| 345 | sysconfdir |
| 346 | @@ -841,6 +862,7 @@ datadir='${datarootdir}' |
| 347 | sysconfdir='${prefix}/etc' |
| 348 | sharedstatedir='${prefix}/com' |
| 349 | localstatedir='${prefix}/var' |
| 350 | +runstatedir='${localstatedir}/run' |
| 351 | includedir='${prefix}/include' |
| 352 | oldincludedir='/usr/include' |
| 353 | docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' |
| 354 | @@ -1093,6 +1115,15 @@ do |
| 355 | | -silent | --silent | --silen | --sile | --sil) |
| 356 | silent=yes ;; |
| 357 | |
| 358 | + -runstatedir | --runstatedir | --runstatedi | --runstated \ |
| 359 | + | --runstate | --runstat | --runsta | --runst | --runs \ |
| 360 | + | --run | --ru | --r) |
| 361 | + ac_prev=runstatedir ;; |
| 362 | + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ |
| 363 | + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ |
| 364 | + | --run=* | --ru=* | --r=*) |
| 365 | + runstatedir=$ac_optarg ;; |
| 366 | + |
| 367 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) |
| 368 | ac_prev=sbindir ;; |
| 369 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ |
| 370 | @@ -1230,7 +1261,7 @@ fi |
| 371 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ |
| 372 | datadir sysconfdir sharedstatedir localstatedir includedir \ |
| 373 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ |
| 374 | - libdir localedir mandir |
| 375 | + libdir localedir mandir runstatedir |
| 376 | do |
| 377 | eval ac_val=\$$ac_var |
| 378 | # Remove trailing slashes. |
| 379 | @@ -1258,8 +1289,6 @@ target=$target_alias |
| 380 | if test "x$host_alias" != x; then |
| 381 | if test "x$build_alias" = x; then |
| 382 | cross_compiling=maybe |
| 383 | - $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. |
| 384 | - If a cross compiler is detected then cross compile mode will be used" >&2 |
| 385 | elif test "x$build_alias" != "x$host_alias"; then |
| 386 | cross_compiling=yes |
| 387 | fi |
| 388 | @@ -1385,6 +1414,7 @@ Fine tuning of the installation director |
| 389 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] |
| 390 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] |
| 391 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] |
| 392 | + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] |
| 393 | --libdir=DIR object code libraries [EPREFIX/lib] |
| 394 | --includedir=DIR C header files [PREFIX/include] |
| 395 | --oldincludedir=DIR C header files for non-gcc [/usr/include] |
| 396 | @@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat |
| 397 | if $ac_init_version; then |
| 398 | cat <<\_ACEOF |
| 399 | fetchmail configure 6.3.26 |
| 400 | -generated by GNU Autoconf 2.68 |
| 401 | +generated by GNU Autoconf 2.69 |
| 402 | |
| 403 | -Copyright (C) 2010 Free Software Foundation, Inc. |
| 404 | +Copyright (C) 2012 Free Software Foundation, Inc. |
| 405 | This configure script is free software; the Free Software Foundation |
| 406 | gives unlimited permission to copy, distribute and modify it. |
| 407 | _ACEOF |
| 408 | @@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5 |
| 409 | test ! -s conftest.err |
| 410 | } && test -s conftest$ac_exeext && { |
| 411 | test "$cross_compiling" = yes || |
| 412 | - $as_test_x conftest$ac_exeext |
| 413 | + test -x conftest$ac_exeext |
| 414 | }; then : |
| 415 | ac_retval=0 |
| 416 | else |
| 417 | @@ -2030,7 +2060,8 @@ int |
| 418 | main () |
| 419 | { |
| 420 | static int test_array [1 - 2 * !(($2) >= 0)]; |
| 421 | -test_array [0] = 0 |
| 422 | +test_array [0] = 0; |
| 423 | +return test_array [0]; |
| 424 | |
| 425 | ; |
| 426 | return 0; |
| 427 | @@ -2046,7 +2077,8 @@ int |
| 428 | main () |
| 429 | { |
| 430 | static int test_array [1 - 2 * !(($2) <= $ac_mid)]; |
| 431 | -test_array [0] = 0 |
| 432 | +test_array [0] = 0; |
| 433 | +return test_array [0]; |
| 434 | |
| 435 | ; |
| 436 | return 0; |
| 437 | @@ -2072,7 +2104,8 @@ int |
| 438 | main () |
| 439 | { |
| 440 | static int test_array [1 - 2 * !(($2) < 0)]; |
| 441 | -test_array [0] = 0 |
| 442 | +test_array [0] = 0; |
| 443 | +return test_array [0]; |
| 444 | |
| 445 | ; |
| 446 | return 0; |
| 447 | @@ -2088,7 +2121,8 @@ int |
| 448 | main () |
| 449 | { |
| 450 | static int test_array [1 - 2 * !(($2) >= $ac_mid)]; |
| 451 | -test_array [0] = 0 |
| 452 | +test_array [0] = 0; |
| 453 | +return test_array [0]; |
| 454 | |
| 455 | ; |
| 456 | return 0; |
| 457 | @@ -2122,7 +2156,8 @@ int |
| 458 | main () |
| 459 | { |
| 460 | static int test_array [1 - 2 * !(($2) <= $ac_mid)]; |
| 461 | -test_array [0] = 0 |
| 462 | +test_array [0] = 0; |
| 463 | +return test_array [0]; |
| 464 | |
| 465 | ; |
| 466 | return 0; |
| 467 | @@ -2195,7 +2230,7 @@ This file contains any messages produced |
| 468 | running configure, to aid debugging if configure makes a mistake. |
| 469 | |
| 470 | It was created by fetchmail $as_me 6.3.26, which was |
| 471 | -generated by GNU Autoconf 2.68. Invocation command line was |
| 472 | +generated by GNU Autoconf 2.69. Invocation command line was |
| 473 | |
| 474 | $ $0 $@ |
| 475 | |
| 476 | @@ -2689,7 +2724,7 @@ case $as_dir/ in #(( |
| 477 | # by default. |
| 478 | for ac_prog in ginstall scoinst install; do |
| 479 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 480 | - if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then |
| 481 | + if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then |
| 482 | if test $ac_prog = install && |
| 483 | grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then |
| 484 | # AIX install. It has an incompatible calling convention. |
| 485 | @@ -2858,7 +2893,7 @@ do |
| 486 | IFS=$as_save_IFS |
| 487 | test -z "$as_dir" && as_dir=. |
| 488 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 489 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 490 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 491 | ac_cv_prog_STRIP="${ac_tool_prefix}strip" |
| 492 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 493 | break 2 |
| 494 | @@ -2898,7 +2933,7 @@ do |
| 495 | IFS=$as_save_IFS |
| 496 | test -z "$as_dir" && as_dir=. |
| 497 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 498 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 499 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 500 | ac_cv_prog_ac_ct_STRIP="strip" |
| 501 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 502 | break 2 |
| 503 | @@ -2949,7 +2984,7 @@ do |
| 504 | test -z "$as_dir" && as_dir=. |
| 505 | for ac_prog in mkdir gmkdir; do |
| 506 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 507 | - { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue |
| 508 | + as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue |
| 509 | case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( |
| 510 | 'mkdir (GNU coreutils) '* | \ |
| 511 | 'mkdir (coreutils) '* | \ |
| 512 | @@ -3002,7 +3037,7 @@ do |
| 513 | IFS=$as_save_IFS |
| 514 | test -z "$as_dir" && as_dir=. |
| 515 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 516 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 517 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 518 | ac_cv_prog_AWK="$ac_prog" |
| 519 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 520 | break 2 |
| 521 | @@ -3295,7 +3330,7 @@ do |
| 522 | IFS=$as_save_IFS |
| 523 | test -z "$as_dir" && as_dir=. |
| 524 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 525 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 526 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 527 | ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" |
| 528 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 529 | break 2 |
| 530 | @@ -3466,7 +3501,7 @@ do |
| 531 | IFS=$as_save_IFS |
| 532 | test -z "$as_dir" && as_dir=. |
| 533 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 534 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 535 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 536 | ac_cv_prog_AWK="$ac_prog" |
| 537 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 538 | break 2 |
| 539 | @@ -3512,7 +3547,7 @@ do |
| 540 | IFS=$as_save_IFS |
| 541 | test -z "$as_dir" && as_dir=. |
| 542 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 543 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 544 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 545 | ac_cv_prog_CC="${ac_tool_prefix}gcc" |
| 546 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 547 | break 2 |
| 548 | @@ -3552,7 +3587,7 @@ do |
| 549 | IFS=$as_save_IFS |
| 550 | test -z "$as_dir" && as_dir=. |
| 551 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 552 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 553 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 554 | ac_cv_prog_ac_ct_CC="gcc" |
| 555 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 556 | break 2 |
| 557 | @@ -3605,7 +3640,7 @@ do |
| 558 | IFS=$as_save_IFS |
| 559 | test -z "$as_dir" && as_dir=. |
| 560 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 561 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 562 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 563 | ac_cv_prog_CC="${ac_tool_prefix}cc" |
| 564 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 565 | break 2 |
| 566 | @@ -3646,7 +3681,7 @@ do |
| 567 | IFS=$as_save_IFS |
| 568 | test -z "$as_dir" && as_dir=. |
| 569 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 570 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 571 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 572 | if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then |
| 573 | ac_prog_rejected=yes |
| 574 | continue |
| 575 | @@ -3704,7 +3739,7 @@ do |
| 576 | IFS=$as_save_IFS |
| 577 | test -z "$as_dir" && as_dir=. |
| 578 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 579 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 580 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 581 | ac_cv_prog_CC="$ac_tool_prefix$ac_prog" |
| 582 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 583 | break 2 |
| 584 | @@ -3748,7 +3783,7 @@ do |
| 585 | IFS=$as_save_IFS |
| 586 | test -z "$as_dir" && as_dir=. |
| 587 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 588 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 589 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 590 | ac_cv_prog_ac_ct_CC="$ac_prog" |
| 591 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 592 | break 2 |
| 593 | @@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ |
| 594 | /* end confdefs.h. */ |
| 595 | #include <stdarg.h> |
| 596 | #include <stdio.h> |
| 597 | -#include <sys/types.h> |
| 598 | -#include <sys/stat.h> |
| 599 | +struct stat; |
| 600 | /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ |
| 601 | struct buf { int x; }; |
| 602 | FILE * (*rcsopen) (struct buf *, struct stat *, int); |
| 603 | @@ -4751,7 +4785,7 @@ do |
| 604 | IFS=$as_save_IFS |
| 605 | test -z "$as_dir" && as_dir=. |
| 606 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 607 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 608 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 609 | ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" |
| 610 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 611 | break 2 |
| 612 | @@ -4791,7 +4825,7 @@ do |
| 613 | IFS=$as_save_IFS |
| 614 | test -z "$as_dir" && as_dir=. |
| 615 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 616 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 617 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 618 | ac_cv_prog_ac_ct_RANLIB="ranlib" |
| 619 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 620 | break 2 |
| 621 | @@ -4859,7 +4893,7 @@ do |
| 622 | for ac_prog in grep ggrep; do |
| 623 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 624 | ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" |
| 625 | - { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue |
| 626 | + as_fn_executable_p "$ac_path_GREP" || continue |
| 627 | # Check for GNU ac_path_GREP and select it if it is found. |
| 628 | # Check for GNU $ac_path_GREP |
| 629 | case `"$ac_path_GREP" --version 2>&1` in |
| 630 | @@ -4925,7 +4959,7 @@ do |
| 631 | for ac_prog in egrep; do |
| 632 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 633 | ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" |
| 634 | - { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue |
| 635 | + as_fn_executable_p "$ac_path_EGREP" || continue |
| 636 | # Check for GNU ac_path_EGREP and select it if it is found. |
| 637 | # Check for GNU $ac_path_EGREP |
| 638 | case `"$ac_path_EGREP" --version 2>&1` in |
| 639 | @@ -5132,8 +5166,8 @@ else |
| 640 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
| 641 | /* end confdefs.h. */ |
| 642 | |
| 643 | -# define __EXTENSIONS__ 1 |
| 644 | - $ac_includes_default |
| 645 | +# define __EXTENSIONS__ 1 |
| 646 | + $ac_includes_default |
| 647 | int |
| 648 | main () |
| 649 | { |
| 650 | @@ -5513,11 +5547,11 @@ else |
| 651 | int |
| 652 | main () |
| 653 | { |
| 654 | -/* FIXME: Include the comments suggested by Paul. */ |
| 655 | + |
| 656 | #ifndef __cplusplus |
| 657 | - /* Ultrix mips cc rejects this. */ |
| 658 | + /* Ultrix mips cc rejects this sort of thing. */ |
| 659 | typedef int charset[2]; |
| 660 | - const charset cs; |
| 661 | + const charset cs = { 0, 0 }; |
| 662 | /* SunOS 4.1.1 cc rejects this. */ |
| 663 | char const *const *pcpcc; |
| 664 | char **ppc; |
| 665 | @@ -5534,8 +5568,9 @@ main () |
| 666 | ++pcpcc; |
| 667 | ppc = (char**) pcpcc; |
| 668 | pcpcc = (char const *const *) ppc; |
| 669 | - { /* SCO 3.2v4 cc rejects this. */ |
| 670 | - char *t; |
| 671 | + { /* SCO 3.2v4 cc rejects this sort of thing. */ |
| 672 | + char tx; |
| 673 | + char *t = &tx; |
| 674 | char const *s = 0 ? (char *) 0 : (char const *) 0; |
| 675 | |
| 676 | *t++ = 0; |
| 677 | @@ -5551,10 +5586,10 @@ main () |
| 678 | iptr p = 0; |
| 679 | ++p; |
| 680 | } |
| 681 | - { /* AIX XL C 1.02.0.0 rejects this saying |
| 682 | + { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying |
| 683 | "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ |
| 684 | - struct s { int j; const int *ap[3]; }; |
| 685 | - struct s *b; b->j = 5; |
| 686 | + struct s { int j; const int *ap[3]; } bx; |
| 687 | + struct s *b = &bx; b->j = 5; |
| 688 | } |
| 689 | { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ |
| 690 | const int foo = 10; |
| 691 | @@ -5600,7 +5635,7 @@ do |
| 692 | IFS=$as_save_IFS |
| 693 | test -z "$as_dir" && as_dir=. |
| 694 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 695 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 696 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 697 | ac_cv_prog_LEX="$ac_prog" |
| 698 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 699 | break 2 |
| 700 | @@ -5632,7 +5667,8 @@ a { ECHO; } |
| 701 | b { REJECT; } |
| 702 | c { yymore (); } |
| 703 | d { yyless (1); } |
| 704 | -e { yyless (input () != 0); } |
| 705 | +e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ |
| 706 | + yyless ((input () != 0)); } |
| 707 | f { unput (yytext[0]); } |
| 708 | . { BEGIN INITIAL; } |
| 709 | %% |
| 710 | @@ -5792,7 +5828,7 @@ do |
| 711 | IFS=$as_save_IFS |
| 712 | test -z "$as_dir" && as_dir=. |
| 713 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 714 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 715 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 716 | ac_cv_prog_YACC="$ac_prog" |
| 717 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 718 | break 2 |
| 719 | @@ -6044,7 +6080,7 @@ do |
| 720 | IFS=$as_save_IFS |
| 721 | test -z "$as_dir" && as_dir=. |
| 722 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 723 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 724 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 725 | ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" |
| 726 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 727 | break 2 |
| 728 | @@ -8548,7 +8584,7 @@ do |
| 729 | IFS=$as_save_IFS |
| 730 | test -z "$as_dir" && as_dir=. |
| 731 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 732 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 733 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 734 | ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext" |
| 735 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 736 | break 2 |
| 737 | @@ -8590,7 +8626,7 @@ do |
| 738 | IFS=$as_save_IFS |
| 739 | test -z "$as_dir" && as_dir=. |
| 740 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 741 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 742 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 743 | ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext" |
| 744 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 745 | break 2 |
| 746 | @@ -8632,7 +8668,7 @@ do |
| 747 | IFS=$as_save_IFS |
| 748 | test -z "$as_dir" && as_dir=. |
| 749 | for ac_exec_ext in '' $ac_executable_extensions; do |
| 750 | - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then |
| 751 | + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then |
| 752 | ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext" |
| 753 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 |
| 754 | break 2 |
| 755 | @@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r |
| 756 | fi |
| 757 | |
| 758 | case "$LIBS" in *-lssl*) |
| 759 | - ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h> |
| 760 | + ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h> |
| 761 | " |
| 762 | -if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then : |
| 763 | +if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : |
| 764 | ac_have_decl=1 |
| 765 | else |
| 766 | ac_have_decl=0 |
| 767 | fi |
| 768 | |
| 769 | cat >>confdefs.h <<_ACEOF |
| 770 | -#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl |
| 771 | +#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl |
| 772 | _ACEOF |
| 773 | |
| 774 | ;; |
| 775 | @@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then |
| 776 | # ... but there are two gotchas: |
| 777 | # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. |
| 778 | # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. |
| 779 | - # In both cases, we have to default to `cp -p'. |
| 780 | + # In both cases, we have to default to `cp -pR'. |
| 781 | ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || |
| 782 | - as_ln_s='cp -p' |
| 783 | + as_ln_s='cp -pR' |
| 784 | elif ln conf$$.file conf$$ 2>/dev/null; then |
| 785 | as_ln_s=ln |
| 786 | else |
| 787 | - as_ln_s='cp -p' |
| 788 | + as_ln_s='cp -pR' |
| 789 | fi |
| 790 | else |
| 791 | - as_ln_s='cp -p' |
| 792 | + as_ln_s='cp -pR' |
| 793 | fi |
| 794 | rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file |
| 795 | rmdir conf$$.dir 2>/dev/null |
| 796 | @@ -11403,28 +11439,16 @@ else |
| 797 | as_mkdir_p=false |
| 798 | fi |
| 799 | |
| 800 | -if test -x / >/dev/null 2>&1; then |
| 801 | - as_test_x='test -x' |
| 802 | -else |
| 803 | - if ls -dL / >/dev/null 2>&1; then |
| 804 | - as_ls_L_option=L |
| 805 | - else |
| 806 | - as_ls_L_option= |
| 807 | - fi |
| 808 | - as_test_x=' |
| 809 | - eval sh -c '\'' |
| 810 | - if test -d "$1"; then |
| 811 | - test -d "$1/."; |
| 812 | - else |
| 813 | - case $1 in #( |
| 814 | - -*)set "./$1";; |
| 815 | - esac; |
| 816 | - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( |
| 817 | - ???[sx]*):;;*)false;;esac;fi |
| 818 | - '\'' sh |
| 819 | - ' |
| 820 | -fi |
| 821 | -as_executable_p=$as_test_x |
| 822 | + |
| 823 | +# as_fn_executable_p FILE |
| 824 | +# ----------------------- |
| 825 | +# Test if FILE is an executable regular file. |
| 826 | +as_fn_executable_p () |
| 827 | +{ |
| 828 | + test -f "$1" && test -x "$1" |
| 829 | +} # as_fn_executable_p |
| 830 | +as_test_x='test -x' |
| 831 | +as_executable_p=as_fn_executable_p |
| 832 | |
| 833 | # Sed expression to map a string onto a valid CPP name. |
| 834 | as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" |
| 835 | @@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri |
| 836 | # values after options handling. |
| 837 | ac_log=" |
| 838 | This file was extended by fetchmail $as_me 6.3.26, which was |
| 839 | -generated by GNU Autoconf 2.68. Invocation command line was |
| 840 | +generated by GNU Autoconf 2.69. Invocation command line was |
| 841 | |
| 842 | CONFIG_FILES = $CONFIG_FILES |
| 843 | CONFIG_HEADERS = $CONFIG_HEADERS |
| 844 | @@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ |
| 845 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
| 846 | ac_cs_version="\\ |
| 847 | fetchmail config.status 6.3.26 |
| 848 | -configured by $0, generated by GNU Autoconf 2.68, |
| 849 | +configured by $0, generated by GNU Autoconf 2.69, |
| 850 | with options \\"\$ac_cs_config\\" |
| 851 | |
| 852 | -Copyright (C) 2010 Free Software Foundation, Inc. |
| 853 | +Copyright (C) 2012 Free Software Foundation, Inc. |
| 854 | This config.status script is free software; the Free Software Foundation |
| 855 | gives unlimited permission to copy, distribute and modify it." |
| 856 | |
| 857 | @@ -11606,7 +11630,7 @@ fi |
| 858 | _ACEOF |
| 859 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
| 860 | if \$ac_cs_recheck; then |
| 861 | - set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion |
| 862 | + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion |
| 863 | shift |
| 864 | \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 |
| 865 | CONFIG_SHELL='$SHELL' |
| 866 | --- fetchmail-6.3.26.orig/configure.ac |
| 867 | +++ fetchmail-6.3.26/configure.ac |
| 868 | @@ -802,7 +802,7 @@ else |
| 869 | fi |
| 870 | |
| 871 | case "$LIBS" in *-lssl*) |
| 872 | - AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>]) |
| 873 | + AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>]) |
| 874 | ;; |
| 875 | esac |
| 876 | |
| 877 | --- fetchmail-6.3.26.orig/fetchmail-FAQ.html |
| 878 | +++ fetchmail-6.3.26/fetchmail-FAQ.html |
| 879 | @@ -667,8 +667,8 @@ because there is not currently a standar |
| 880 | also uses this method, so the two will interoperate happily. They |
| 881 | better, because this is how Craig gets his mail ;-)</p> |
| 882 | |
| 883 | -<p>Finally, you can use <a href="#K5">SSL</a> for complete |
| 884 | -end-to-end encryption if you have an SSL-enabled mailserver.</p> |
| 885 | +<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete |
| 886 | +end-to-end encryption if you have a TLS-enabled mailserver.</p> |
| 887 | |
| 888 | <h2><a id="G11" name="G11">G11. Is any special configuration needed |
| 889 | to use a dynamic IP address?</a></h2> |
| 890 | @@ -2120,7 +2120,7 @@ SSL?</a></h2> |
| 891 | |
| 892 | <p>You'll need to have the <a |
| 893 | href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they |
| 894 | -should at least be version 0.9.7. |
| 895 | +should at least be version 0.9.8, with 1.0.1 preferred. |
| 896 | Configure with --with-ssl. If you have the OpenSSL libraries |
| 897 | installed in commonly-used default locations, this will |
| 898 | suffice. If you have them installed in a non-default location, |
| 899 | @@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p> |
| 900 | <p>Fetchmail binaries built this way support <code>ssl</code>, |
| 901 | <code>sslkey</code>, and <code>sslcert</code> options that control |
| 902 | SSL encryption, and will automatically use <code>tls</code> if the |
| 903 | -server offers it. You will need to have an SSL-enabled mailserver to |
| 904 | +server offers it. You will need to have an SSL/TLS-enabled mailserver to |
| 905 | use these options. See the manual page for details and some words |
| 906 | of care on the limited security provided.</p> |
| 907 | |
| 908 | @@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s |
| 909 | protocol imap username MYUSERNAME password MYPASSWORD |
| 910 | </pre> |
| 911 | |
| 912 | -<p>You should note that SSL is only secure against a "man-in-the-middle" |
| 913 | -attack if the client is able to verify that the peer's public key is the |
| 914 | -correct one, and has not been substituted by an attacker. fetchmail can do |
| 915 | -this in one of two ways: by verifying the SSL certificate, or by checking |
| 916 | -the fingerprint of the peer's public key.</p> |
| 917 | +<p>You should note that SSL or TLS are only secure against a |
| 918 | +"man-in-the-middle" attack if the client is able to verify that the |
| 919 | +peer's public key is the correct one, and has not been substituted by an |
| 920 | +attacker. fetchmail can do this in one of two ways: by verifying the SSL |
| 921 | +certificate, or by checking the fingerprint of the peer's public |
| 922 | +key.</p> |
| 923 | |
| 924 | -<p>There are three parts to SSL certificate verification: checking that the |
| 925 | +<p>There are three parts to TLS certificate verification: checking that the |
| 926 | domain name in the certificate matches the hostname you asked to connect to; |
| 927 | checking that the certificate expiry date has not passed; and checking that |
| 928 | the certificate has been signed by a known Certificate Authority (CA). This |
| 929 | @@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati |
| 930 | time. This can however cause problems if the upstream didn't configure |
| 931 | his certificates properly.</p> |
| 932 | |
| 933 | -<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS) |
| 934 | -negotiation, add this option:</p> |
| 935 | +<p>In order to prevent fetchmail 6.4.0 and newer versions from trying |
| 936 | +STLS or STARTTLS negotiation, add this option:</p> |
| 937 | +<pre>sslproto ''</pre> |
| 938 | + |
| 939 | +<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS) |
| 940 | +negotiation where the above does not work, try this option:</p> |
| 941 | |
| 942 | <pre>sslproto ssl23</pre> |
| 943 | |
| 944 | @@ -2876,15 +2881,22 @@ need to say something like '<code>envelo |
| 945 | |
| 946 | <pre> |
| 947 | Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92]) |
| 948 | - by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088 |
| 949 | - for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700 |
| 950 | + by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088 |
| 951 | + for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700 |
| 952 | </pre> |
| 953 | |
| 954 | -<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your |
| 955 | -mailserver before accepting 'ksturgeon@fbceg.org' as an envelope |
| 956 | +<p>it checks to see if 'iserv.example.net' is a DNS alias of your |
| 957 | +mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope |
| 958 | address. This check might fail if your DNS were misconfigured, or |
| 959 | -if you were using 'no dns' and had failed to declare iserv.ttns.net |
| 960 | -as an alias of your server.</p> |
| 961 | +if you were using 'no dns' and had failed to declare iserv.example.net |
| 962 | +as an alias of your server. The typical hint is logging similar to: |
| 963 | +<code>line rejected, iserv.example.net is not an alias of the mailserver</code>, |
| 964 | +if you use fetchmail in verbose mode.</p> |
| 965 | + |
| 966 | +<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka |
| 967 | + <em>iserv.example.net</em></code> statements in the rcfile. Replace |
| 968 | +<em>iserv.example.net</em> by the name you find in <strong>your</strong> |
| 969 | +'by' part of the 'Received:' line.</p> |
| 970 | |
| 971 | <h2><a id="M8" name="M8">M8. Users are getting multiple copies of |
| 972 | messages.</a></h2> |
| 973 | @@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p> |
| 974 | <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my |
| 975 | messages.</a></h2> |
| 976 | |
| 977 | +<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p> |
| 978 | + |
| 979 | <p>Due to the problem described in <a href="#S2">S2</a>, the |
| 980 | IMAP support in fetchmail cannot follow the IMAP protocol 100 %. |
| 981 | Most of the time it doesn't matter, but if you combine it with an |
| 982 | @@ -3279,8 +3293,6 @@ it at the end of the message it forwards |
| 983 | on, you'll get a message about actual != expected.</li> |
| 984 | </ol> |
| 985 | |
| 986 | -<p>There is no fix for this.</p> |
| 987 | - |
| 988 | <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header |
| 989 | with Domino IMAP</a></h2> |
| 990 | |
| 991 | --- fetchmail-6.3.26.orig/fetchmail.c |
| 992 | +++ fetchmail-6.3.26/fetchmail.c |
| 993 | @@ -54,6 +54,10 @@ |
| 994 | #define ENETUNREACH 128 /* Interactive doesn't know this */ |
| 995 | #endif /* ENETUNREACH */ |
| 996 | |
| 997 | +#ifdef SSL_ENABLE |
| 998 | +#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ |
| 999 | +#endif |
| 1000 | + |
| 1001 | /* prototypes for internal functions */ |
| 1002 | static int load_params(int, char **, int); |
| 1003 | static void dump_params (struct runctl *runp, struct query *, flag implicit); |
| 1004 | @@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) { |
| 1005 | "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n" |
| 1006 | " Robert M. Funk, Graham Wilson\n" |
| 1007 | "Copyright (C) 2005 - 2012 Sunil Shetye\n" |
| 1008 | - "Copyright (C) 2005 - 2013 Matthias Andree\n" |
| 1009 | + "Copyright (C) 2005 - 2015 Matthias Andree\n" |
| 1010 | )); |
| 1011 | fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n" |
| 1012 | "are welcome to redistribute it under certain conditions. For details,\n" |
| 1013 | @@ -262,6 +266,9 @@ int main(int argc, char **argv) |
| 1014 | #endif /* ODMR_ENABLE */ |
| 1015 | #ifdef SSL_ENABLE |
| 1016 | "+SSL" |
| 1017 | +#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) |
| 1018 | + "-SSLv3" |
| 1019 | +#endif |
| 1020 | #endif |
| 1021 | #ifdef OPIE_ENABLE |
| 1022 | "+OPIE" |
| 1023 | --- fetchmail-6.3.26.orig/fetchmail.h |
| 1024 | +++ fetchmail-6.3.26/fetchmail.h |
| 1025 | @@ -771,9 +771,9 @@ int servport(const char *service); |
| 1026 | int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); |
| 1027 | void fm_freeaddrinfo(struct addrinfo *ai); |
| 1028 | |
| 1029 | -/* prototypes from tls.c */ |
| 1030 | -int maybe_tls(struct query *ctl); |
| 1031 | -int must_tls(struct query *ctl); |
| 1032 | +/* prototypes from starttls.c */ |
| 1033 | +int maybe_starttls(struct query *ctl); |
| 1034 | +int must_starttls(struct query *ctl); |
| 1035 | |
| 1036 | /* prototype from rfc822valid.c */ |
| 1037 | int rfc822_valid_msgid(const unsigned char *); |
| 1038 | --- fetchmail-6.3.26.orig/fetchmail.man |
| 1039 | +++ fetchmail-6.3.26/fetchmail.man |
| 1040 | @@ -412,23 +412,22 @@ from. The folder information is written |
| 1041 | .B \-\-ssl |
| 1042 | (Keyword: ssl) |
| 1043 | .br |
| 1044 | -Causes the connection to the mail server to be encrypted |
| 1045 | -via SSL. Connect to the server using the specified base protocol over a |
| 1046 | -connection secured by SSL. This option defeats opportunistic starttls |
| 1047 | -negotiation. It is highly recommended to use \-\-sslproto 'SSL3' |
| 1048 | -\-\-sslcertck to validate the certificates presented by the server and |
| 1049 | -defeat the obsolete SSLv2 negotiation. More information is available in |
| 1050 | -the \fIREADME.SSL\fP file that ships with fetchmail. |
| 1051 | -.IP |
| 1052 | -Note that fetchmail may still try to negotiate SSL through starttls even |
| 1053 | -if this option is omitted. You can use the \-\-sslproto option to defeat |
| 1054 | -this behavior or tell fetchmail to negotiate a particular SSL protocol. |
| 1055 | +Causes the connection to the mail server to be encrypted via SSL, by |
| 1056 | +negotiating SSL directly after connecting (SSL-wrapped mode). It is |
| 1057 | +highly recommended to use \-\-sslcertck to validate the certificates |
| 1058 | +presented by the server. Please see the description of \-\-sslproto |
| 1059 | +below! More information is available in the \fIREADME.SSL\fP file that |
| 1060 | +ships with fetchmail. |
| 1061 | +.IP |
| 1062 | +Note that even if this option is omitted, fetchmail may still negotiate |
| 1063 | +SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You |
| 1064 | +can use the \-\-sslproto option to modify that behavior. |
| 1065 | .IP |
| 1066 | If no port is specified, the connection is attempted to the well known |
| 1067 | port of the SSL version of the base protocol. This is generally a |
| 1068 | different port than the port used by the base protocol. For IMAP, this |
| 1069 | is port 143 for the clear protocol and port 993 for the SSL secured |
| 1070 | -protocol, for POP3, it is port 110 for the clear text and port 995 for |
| 1071 | +protocol; for POP3, it is port 110 for the clear text and port 995 for |
| 1072 | the encrypted variant. |
| 1073 | .IP |
| 1074 | If your system lacks the corresponding entries from /etc/services, see |
| 1075 | @@ -470,39 +469,73 @@ cause some complications in daemon mode. |
| 1076 | .IP |
| 1077 | Also see \-\-sslcert above. |
| 1078 | .TP |
| 1079 | -.B \-\-sslproto <name> |
| 1080 | -(Keyword: sslproto) |
| 1081 | +.B \-\-sslproto <value> |
| 1082 | +(Keyword: sslproto, NOTE: semantic changes since v6.4.0) |
| 1083 | .br |
| 1084 | -Forces an SSL/TLS protocol. Possible values are \fB''\fP, |
| 1085 | -\&'\fBSSL2\fP' (not supported on all systems), |
| 1086 | -\&'\fBSSL23\fP', (use of these two values is discouraged |
| 1087 | -and should only be used as a last resort) \&'\fBSSL3\fP', and |
| 1088 | -\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for |
| 1089 | -connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will |
| 1090 | -opportunistically try STARTTLS negotiation with TLS1. You can configure |
| 1091 | -this option explicitly if the default handshake (TLS1 if \-\-ssl is not |
| 1092 | -used) does not work for your server. |
| 1093 | -.IP |
| 1094 | -Use this option with '\fBTLS1\fP' value to enforce a STARTTLS |
| 1095 | -connection. In this mode, it is highly recommended to also use |
| 1096 | -\-\-sslcertck (see below). Note that this will then cause fetchmail |
| 1097 | -v6.3.19 to force STARTTLS negotiation even if it is not advertised by |
| 1098 | -the server. |
| 1099 | -.IP |
| 1100 | -To defeat opportunistic TLSv1 negotiation when the server advertises |
| 1101 | -STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This |
| 1102 | -option, even if the argument is the empty string, will also suppress the |
| 1103 | -diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose |
| 1104 | -mode. The default is to try appropriate protocols depending on context. |
| 1105 | +This option has a dual use, out of historic fetchmail behaviour. It |
| 1106 | +controls both the SSL/TLS protocol version and, if \-\-ssl is not |
| 1107 | +specified, the STARTTLS behaviour (upgrading the protocol to an SSL or |
| 1108 | +TLS connection in-band). Some other options may however make TLS |
| 1109 | +mandatory. |
| 1110 | +.PP |
| 1111 | +Only if this option and \-\-ssl are both missing for a poll, there will |
| 1112 | +be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to |
| 1113 | +upgrade to TLSv1 or newer. |
| 1114 | +.PP |
| 1115 | +Recognized values for \-\-sslproto are given below. You should normally |
| 1116 | +chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of |
| 1117 | +the options ending in a plus (\fB+\fP) character. Note that depending |
| 1118 | +on OpenSSL library version and configuration, some options cause |
| 1119 | +run-time errors because the requested SSL or TLS versions are not |
| 1120 | +supported by the particular installed OpenSSL library. |
| 1121 | +.RS |
| 1122 | +.IP "\fB''\fP, the empty string" |
| 1123 | +Disable STARTTLS. If \-\-ssl is given for the same server, log an error |
| 1124 | +and pretend that '\fBauto\fP' had been used instead. |
| 1125 | +.IP '\fBauto\fP' |
| 1126 | +(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. |
| 1127 | +(fetchmail 6.3.26 and older have auto-negotiated all protocols that |
| 1128 | +their OpenSSL library supported, including the broken SSLv3). |
| 1129 | +.IP "\&'\fBSSL23\fP' |
| 1130 | +see '\fBauto\fP'. |
| 1131 | +.IP \&'\fBSSL3\fP' |
| 1132 | +Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it |
| 1133 | +if possible. This will make fetchmail negotiate SSLv3 only, and is the |
| 1134 | +only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3. |
| 1135 | +.IP \&'\fBSSL3+\fP' |
| 1136 | +same as '\fBauto\fP', but permit SSLv3 as well. This is the only way |
| 1137 | +besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3. |
| 1138 | +.IP \&'\fBTLS1\fP' |
| 1139 | +Require TLSv1. This does not negotiate TLSv1.1 or newer, and is |
| 1140 | +discouraged. Replace by TLS1+ unless the latter chokes your server. |
| 1141 | +.IP \&'\fBTLS1+\fP' |
| 1142 | +Since v6.4.0. See 'fBauto\fP'. |
| 1143 | +.IP \&'\fBTLS1.1\fP' |
| 1144 | +Since v6.4.0. Require TLS v1.1 exactly. |
| 1145 | +.IP \&'\fBTLS1.1+\fP' |
| 1146 | +Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer. |
| 1147 | +.IP \&'\fBTLS1.2\fP' |
| 1148 | +Since v6.4.0. Require TLS v1.2 exactly. |
| 1149 | +.IP '\fBTLS1.2+\fP' |
| 1150 | +Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer. |
| 1151 | +.IP "Unrecognized parameters" |
| 1152 | +are treated the same as '\fBauto\fP'. |
| 1153 | +.RE |
| 1154 | +.IP |
| 1155 | +NOTE: you should hardly ever need to use anything other than '' (to |
| 1156 | +force an unencrypted connection) or 'auto' (to enforce TLS). |
| 1157 | .TP |
| 1158 | .B \-\-sslcertck |
| 1159 | (Keyword: sslcertck) |
| 1160 | .br |
| 1161 | -Causes fetchmail to strictly check the server certificate against a set of |
| 1162 | -local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP |
| 1163 | -options). If the server certificate cannot be obtained or is not signed by one |
| 1164 | -of the trusted ones (directly or indirectly), the SSL connection will fail, |
| 1165 | -regardless of the \fBsslfingerprint\fP option. |
| 1166 | +Causes fetchmail to require that SSL/TLS be used and disconnect if it |
| 1167 | +can not successfully negotiate SSL or TLS, or if it cannot successfully |
| 1168 | +verify and validate the certificate and follow it to a trust anchor (or |
| 1169 | +trusted root certificate). The trust anchors are given as a set of local |
| 1170 | +trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP |
| 1171 | +options). If the server certificate cannot be obtained or is not signed |
| 1172 | +by one of the trusted ones (directly or indirectly), fetchmail will |
| 1173 | +disconnect, regardless of the \fBsslfingerprint\fP option. |
| 1174 | .IP |
| 1175 | Note that CRL (certificate revocation lists) are only supported in |
| 1176 | OpenSSL 0.9.7 and newer! Your system clock should also be reasonably |
| 1177 | @@ -1202,31 +1235,33 @@ capability response. Specify a user opti |
| 1178 | username and the part to the right as the NTLM domain. |
| 1179 | |
| 1180 | .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) |
| 1181 | +.PP All retrieval protocols can use SSL or TLS wrapping for the |
| 1182 | +transport. Additionally, POP3 and IMAP retrival can also negotiate |
| 1183 | +SSL/TLS by means of STARTTLS (or STLS). |
| 1184 | .PP |
| 1185 | Note that fetchmail currently uses the OpenSSL library, which is |
| 1186 | severely underdocumented, so failures may occur just because the |
| 1187 | programmers are not aware of OpenSSL's requirement of the day. |
| 1188 | For instance, since v6.3.16, fetchmail calls |
| 1189 | OpenSSL_add_all_algorithms(), which is necessary to support certificates |
| 1190 | -using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the |
| 1191 | -documentation and not at all obvious. Please do not hesitate to report |
| 1192 | -subtle SSL failures. |
| 1193 | -.PP |
| 1194 | -You can access SSL encrypted services by specifying the \-\-ssl option. |
| 1195 | -You can also do this using the "ssl" user option in the .fetchmailrc |
| 1196 | -file. With SSL encryption enabled, queries are initiated over a |
| 1197 | -connection after negotiating an SSL session, and the connection fails if |
| 1198 | -SSL cannot be negotiated. Some services, such as POP3 and IMAP, have |
| 1199 | +using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in |
| 1200 | +the documentation and not at all obvious. Please do not hesitate to |
| 1201 | +report subtle SSL failures. |
| 1202 | +.PP |
| 1203 | +You can access SSL encrypted services by specifying the options starting |
| 1204 | +with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. |
| 1205 | +You can also do this using the corresponding user options in the .fetchmailrc |
| 1206 | +file. Some services, such as POP3 and IMAP, have |
| 1207 | different well known ports defined for the SSL encrypted services. The |
| 1208 | encrypted ports will be selected automatically when SSL is enabled and |
| 1209 | -no explicit port is specified. The \-\-sslproto 'SSL3' option should be |
| 1210 | -used to select the SSLv3 protocol (default if unset: v2 or v3). Also, |
| 1211 | -the \-\-sslcertck command line or sslcertck run control file option |
| 1212 | -should be used to force strict certificate checking - see below. |
| 1213 | +no explicit port is specified. Also, the \-\-sslcertck command line or |
| 1214 | +sslcertck run control file option should be used to force strict |
| 1215 | +certificate checking - see below. |
| 1216 | .PP |
| 1217 | If SSL is not configured, fetchmail will usually opportunistically try to use |
| 1218 | -STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS |
| 1219 | -connections use the same port as the unencrypted version of the |
| 1220 | +STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and |
| 1221 | +defeated by using \-\-sslproto\~''. |
| 1222 | +TLS connections use the same port as the unencrypted version of the |
| 1223 | protocol and negotiate TLS via special command. The \-\-sslcertck |
| 1224 | command line or sslcertck run control file option should be used to |
| 1225 | force strict certificate checking - see below. |
| 1226 | --- fetchmail-6.3.26.orig/imap.c |
| 1227 | +++ fetchmail-6.3.26/imap.c |
| 1228 | @@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct |
| 1229 | /* apply for connection authorization */ |
| 1230 | { |
| 1231 | int ok = 0; |
| 1232 | + char *commonname; |
| 1233 | + |
| 1234 | (void)greeting; |
| 1235 | |
| 1236 | /* |
| 1237 | @@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct |
| 1238 | return(PS_SUCCESS); |
| 1239 | } |
| 1240 | |
| 1241 | -#ifdef SSL_ENABLE |
| 1242 | - if (maybe_tls(ctl)) { |
| 1243 | - char *commonname; |
| 1244 | - |
| 1245 | - commonname = ctl->server.pollname; |
| 1246 | - if (ctl->server.via) |
| 1247 | - commonname = ctl->server.via; |
| 1248 | - if (ctl->sslcommonname) |
| 1249 | - commonname = ctl->sslcommonname; |
| 1250 | + commonname = ctl->server.pollname; |
| 1251 | + if (ctl->server.via) |
| 1252 | + commonname = ctl->server.via; |
| 1253 | + if (ctl->sslcommonname) |
| 1254 | + commonname = ctl->sslcommonname; |
| 1255 | |
| 1256 | - if (strstr(capabilities, "STARTTLS") |
| 1257 | - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| 1258 | +#ifdef SSL_ENABLE |
| 1259 | + if (maybe_starttls(ctl)) { |
| 1260 | + if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) |
| 1261 | + || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| 1262 | { |
| 1263 | - /* Use "tls1" rather than ctl->sslproto because tls1 is the only |
| 1264 | - * protocol that will work with STARTTLS. Don't need to worry |
| 1265 | - * whether TLS is mandatory or opportunistic unless SSLOpen() fails |
| 1266 | - * (see below). */ |
| 1267 | + /* Don't need to worry whether TLS is mandatory or |
| 1268 | + * opportunistic unless SSLOpen() fails (see below). */ |
| 1269 | if (gen_transact(sock, "STARTTLS") == PS_SUCCESS |
| 1270 | - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, |
| 1271 | + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, |
| 1272 | ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, |
| 1273 | ctl->server.pollname, &ctl->remotename)) != -1) |
| 1274 | { |
| 1275 | @@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct |
| 1276 | { |
| 1277 | report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); |
| 1278 | } |
| 1279 | - } else if (must_tls(ctl)) { |
| 1280 | + } else if (must_starttls(ctl)) { |
| 1281 | /* Config required TLS but we couldn't guarantee it, so we must |
| 1282 | * stop. */ |
| 1283 | set_timeout(0); |
| 1284 | @@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct |
| 1285 | /* Usable. Proceed with authenticating insecurely. */ |
| 1286 | } |
| 1287 | } |
| 1288 | + } else { |
| 1289 | + if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { |
| 1290 | + report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); |
| 1291 | + } |
| 1292 | } |
| 1293 | #endif /* SSL_ENABLE */ |
| 1294 | |
| 1295 | --- fetchmail-6.3.26.orig/po/Makevars |
| 1296 | +++ fetchmail-6.3.26/po/Makevars |
| 1297 | @@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis |
| 1298 | # This is the list of locale categories, beyond LC_MESSAGES, for which the |
| 1299 | # message catalogs shall be used. It is usually empty. |
| 1300 | EXTRA_LOCALE_CATEGORIES = |
| 1301 | + |
| 1302 | +# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt' |
| 1303 | +# context. Possible values are "yes" and "no". Set this to yes if the |
| 1304 | +# package uses functions taking also a message context, like pgettext(), or |
| 1305 | +# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument. |
| 1306 | +USE_MSGCTXT = no |
| 1307 | + |
| 1308 | +# These options get passed to msgmerge. |
| 1309 | +# Useful options are in particular: |
| 1310 | +# --previous to keep previous msgids of translated messages, |
| 1311 | +# --quiet to reduce the verbosity. |
| 1312 | +MSGMERGE_OPTIONS = |
| 1313 | --- fetchmail-6.3.26.orig/pop3.c |
| 1314 | +++ fetchmail-6.3.26/pop3.c |
| 1315 | @@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct |
| 1316 | #endif /* OPIE_ENABLE */ |
| 1317 | #ifdef SSL_ENABLE |
| 1318 | flag connection_may_have_tls_errors = FALSE; |
| 1319 | + char *commonname; |
| 1320 | #endif /* SSL_ENABLE */ |
| 1321 | |
| 1322 | done_capa = FALSE; |
| 1323 | @@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct |
| 1324 | (ctl->server.authenticate == A_KERBEROS_V5) || |
| 1325 | (ctl->server.authenticate == A_OTP) || |
| 1326 | (ctl->server.authenticate == A_CRAM_MD5) || |
| 1327 | - maybe_tls(ctl)) |
| 1328 | + maybe_starttls(ctl)) |
| 1329 | { |
| 1330 | if ((ok = capa_probe(sock)) != PS_SUCCESS) |
| 1331 | /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ |
| 1332 | @@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct |
| 1333 | (ok == PS_SOCKET && !ctl->wehaveauthed)) |
| 1334 | { |
| 1335 | #ifdef SSL_ENABLE |
| 1336 | - if (must_tls(ctl)) { |
| 1337 | + if (must_starttls(ctl)) { |
| 1338 | /* fail with mandatory STLS without repoll */ |
| 1339 | report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); |
| 1340 | report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); |
| 1341 | return ok; |
| 1342 | - } else if (maybe_tls(ctl)) { |
| 1343 | + } else if (maybe_starttls(ctl)) { |
| 1344 | /* defeat opportunistic STLS */ |
| 1345 | xfree(ctl->sslproto); |
| 1346 | ctl->sslproto = xstrdup(""); |
| 1347 | @@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct |
| 1348 | } |
| 1349 | |
| 1350 | #ifdef SSL_ENABLE |
| 1351 | - if (maybe_tls(ctl)) { |
| 1352 | - char *commonname; |
| 1353 | + commonname = ctl->server.pollname; |
| 1354 | + if (ctl->server.via) |
| 1355 | + commonname = ctl->server.via; |
| 1356 | + if (ctl->sslcommonname) |
| 1357 | + commonname = ctl->sslcommonname; |
| 1358 | |
| 1359 | - commonname = ctl->server.pollname; |
| 1360 | - if (ctl->server.via) |
| 1361 | - commonname = ctl->server.via; |
| 1362 | - if (ctl->sslcommonname) |
| 1363 | - commonname = ctl->sslcommonname; |
| 1364 | - |
| 1365 | - if (has_stls |
| 1366 | - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| 1367 | + if (maybe_starttls(ctl)) { |
| 1368 | + if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ |
| 1369 | { |
| 1370 | - /* Use "tls1" rather than ctl->sslproto because tls1 is the only |
| 1371 | - * protocol that will work with STARTTLS. Don't need to worry |
| 1372 | - * whether TLS is mandatory or opportunistic unless SSLOpen() fails |
| 1373 | - * (see below). */ |
| 1374 | + /* Don't need to worry whether TLS is mandatory or |
| 1375 | + * opportunistic unless SSLOpen() fails (see below). */ |
| 1376 | if (gen_transact(sock, "STLS") == PS_SUCCESS |
| 1377 | - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, |
| 1378 | + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, |
| 1379 | ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, |
| 1380 | ctl->server.pollname, &ctl->remotename)) != -1) |
| 1381 | { |
| 1382 | @@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct |
| 1383 | { |
| 1384 | report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); |
| 1385 | } |
| 1386 | - } else if (must_tls(ctl)) { |
| 1387 | + } else if (must_starttls(ctl)) { |
| 1388 | /* Config required TLS but we couldn't guarantee it, so we must |
| 1389 | * stop. */ |
| 1390 | set_timeout(0); |
| 1391 | @@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct |
| 1392 | } |
| 1393 | } |
| 1394 | } |
| 1395 | - } /* maybe_tls() */ |
| 1396 | + } else { /* maybe_starttls() */ |
| 1397 | + if (has_stls && outlevel >= O_VERBOSE) { |
| 1398 | + report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); |
| 1399 | + } |
| 1400 | + } /* maybe_starttls() */ |
| 1401 | #endif /* SSL_ENABLE */ |
| 1402 | |
| 1403 | /* |
| 1404 | --- fetchmail-6.3.26.orig/socket.c |
| 1405 | +++ fetchmail-6.3.26/socket.c |
| 1406 | @@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char |
| 1407 | { |
| 1408 | struct stat randstat; |
| 1409 | int i; |
| 1410 | + int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; |
| 1411 | long sslopts = SSL_OP_ALL; |
| 1412 | + int ssle_connect = 0; |
| 1413 | |
| 1414 | SSL_load_error_strings(); |
| 1415 | SSL_library_init(); |
| 1416 | @@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char |
| 1417 | /* Make sure a connection referring to an older context is not left */ |
| 1418 | _ssl_context[sock] = NULL; |
| 1419 | if(myproto) { |
| 1420 | - if(!strcasecmp("ssl2",myproto)) { |
| 1421 | -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 |
| 1422 | - _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); |
| 1423 | + if(!strcasecmp("ssl3",myproto)) { |
| 1424 | +#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) |
| 1425 | + _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); |
| 1426 | + avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; |
| 1427 | #else |
| 1428 | - report(stderr, GT_("Your operating system does not support SSLv2.\n")); |
| 1429 | + report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); |
| 1430 | return -1; |
| 1431 | #endif |
| 1432 | - } else if(!strcasecmp("ssl3",myproto)) { |
| 1433 | - _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); |
| 1434 | + } else if(!strcasecmp("ssl3+",myproto)) { |
| 1435 | + avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; |
| 1436 | + myproto = NULL; |
| 1437 | } else if(!strcasecmp("tls1",myproto)) { |
| 1438 | _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); |
| 1439 | - } else if (!strcasecmp("ssl23",myproto)) { |
| 1440 | + } else if(!strcasecmp("tls1+",myproto)) { |
| 1441 | + myproto = NULL; |
| 1442 | +#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION |
| 1443 | + } else if(!strcasecmp("tls1.1",myproto)) { |
| 1444 | + _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); |
| 1445 | + } else if(!strcasecmp("tls1.1+",myproto)) { |
| 1446 | + myproto = NULL; |
| 1447 | + avoid_ssl_versions |= SSL_OP_NO_TLSv1; |
| 1448 | +#else |
| 1449 | + } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { |
| 1450 | + report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); |
| 1451 | + return -1; |
| 1452 | +#endif |
| 1453 | +#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION |
| 1454 | + } else if(!strcasecmp("tls1.2",myproto)) { |
| 1455 | + _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); |
| 1456 | + } else if(!strcasecmp("tls1.2+",myproto)) { |
| 1457 | + myproto = NULL; |
| 1458 | + avoid_ssl_versions |= SSL_OP_NO_TLSv1; |
| 1459 | + avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; |
| 1460 | +#else |
| 1461 | + } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { |
| 1462 | + report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); |
| 1463 | + return -1; |
| 1464 | +#endif |
| 1465 | + } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { |
| 1466 | myproto = NULL; |
| 1467 | } else { |
| 1468 | - report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); |
| 1469 | + report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); |
| 1470 | myproto = NULL; |
| 1471 | } |
| 1472 | } |
| 1473 | - if(!myproto) { |
| 1474 | + // do not combine into an else { } as myproto may be nulled |
| 1475 | + // above! |
| 1476 | + if (!myproto) { |
| 1477 | + // SSLv23 is a misnomer and will in fact use the best |
| 1478 | + // available protocol, subject to SSL_OP_NO* |
| 1479 | + // constraints. |
| 1480 | _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); |
| 1481 | } |
| 1482 | if(_ctx[sock] == NULL) { |
| 1483 | @@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char |
| 1484 | sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
| 1485 | } |
| 1486 | |
| 1487 | - SSL_CTX_set_options(_ctx[sock], sslopts); |
| 1488 | + SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); |
| 1489 | |
| 1490 | if (certck) { |
| 1491 | SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); |
| 1492 | @@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char |
| 1493 | } |
| 1494 | |
| 1495 | if (SSL_set_fd(_ssl_context[sock], sock) == 0 |
| 1496 | - || SSL_connect(_ssl_context[sock]) < 1) { |
| 1497 | + || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { |
| 1498 | + int e = errno; |
| 1499 | + unsigned long ssle_err_from_queue = ERR_peek_error(); |
| 1500 | + unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect); |
| 1501 | ERR_print_errors_fp(stderr); |
| 1502 | + if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) { |
| 1503 | + if (0 == ssle_connect) { |
| 1504 | + report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n")); |
| 1505 | + } else if (ssle_connect < 0) { |
| 1506 | + report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e)); |
| 1507 | + } |
| 1508 | + } |
| 1509 | SSL_free( _ssl_context[sock] ); |
| 1510 | _ssl_context[sock] = NULL; |
| 1511 | SSL_CTX_free(_ctx[sock]); |
| 1512 | @@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char |
| 1513 | return(-1); |
| 1514 | } |
| 1515 | |
| 1516 | + if (outlevel >= O_VERBOSE) { |
| 1517 | + SSL_CIPHER const *sc; |
| 1518 | + int bitsmax, bitsused; |
| 1519 | + |
| 1520 | + const char *ver; |
| 1521 | + |
| 1522 | + ver = SSL_get_version(_ssl_context[sock]); |
| 1523 | + |
| 1524 | + sc = SSL_get_current_cipher(_ssl_context[sock]); |
| 1525 | + if (!sc) { |
| 1526 | + report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); |
| 1527 | + } else { |
| 1528 | + bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); |
| 1529 | + report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), |
| 1530 | + ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); |
| 1531 | + } |
| 1532 | + } |
| 1533 | + |
| 1534 | /* Paranoia: was the callback not called as we expected? */ |
| 1535 | if (!_depth0ck) { |
| 1536 | report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); |
| 1537 | --- /dev/null |
| 1538 | +++ fetchmail-6.3.26/starttls.c |
| 1539 | @@ -0,0 +1,37 @@ |
| 1540 | +/** \file tls.c - collect common TLS functionality |
| 1541 | + * \author Matthias Andree |
| 1542 | + * \date 2006 |
| 1543 | + */ |
| 1544 | + |
| 1545 | +#include "fetchmail.h" |
| 1546 | + |
| 1547 | +#include <string.h> |
| 1548 | + |
| 1549 | +#ifdef HAVE_STRINGS_H |
| 1550 | +#include <strings.h> |
| 1551 | +#endif |
| 1552 | + |
| 1553 | +/** return true if user allowed opportunistic STARTTLS/STLS */ |
| 1554 | +int maybe_starttls(struct query *ctl) { |
| 1555 | +#ifdef SSL_ENABLE |
| 1556 | + /* opportunistic or forced TLS */ |
| 1557 | + return (!ctl->sslproto || strlen(ctl->sslproto)) |
| 1558 | + && !ctl->use_ssl; |
| 1559 | +#else |
| 1560 | + (void)ctl; |
| 1561 | + return 0; |
| 1562 | +#endif |
| 1563 | +} |
| 1564 | + |
| 1565 | +/** return true if user requires STARTTLS/STLS, note though that this |
| 1566 | + * code must always use a logical AND with maybe_tls(). */ |
| 1567 | +int must_starttls(struct query *ctl) { |
| 1568 | +#ifdef SSL_ENABLE |
| 1569 | + return maybe_starttls(ctl) |
| 1570 | + && (ctl->sslfingerprint || ctl->sslcertck |
| 1571 | + || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); |
| 1572 | +#else |
| 1573 | + (void)ctl; |
| 1574 | + return 0; |
| 1575 | +#endif |
| 1576 | +} |