"Require" OpenSSL 1.1.1 and tolerate/warn 1.0.2.

OpenSSL 1.0.2 is EOL since end of 2019, so warn if it is to be used
at configure and compile time.

The assumption is that 1.0.2 may still be in use by maintainers that
backport security fixes.

Also warn, at configure time, about "OpenSSL" API-compatible libraries
that do not declare TLS1_3_VERSION.

8 files changed, 32 insertions, 10 deletions

diff --git a/NEWS b/NEWS
index 7f25c694..1a503c1b 100644
--- a/NEWS
+++ b/NEWS
@@ -77,6 +77,14 @@ fetchmail-6.4.3 (WIP)
   Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
   Reported by Stefan Thurner.
 
+## CHANGES:
+* Fetchmail documentation was updated to require OpenSSL 1.1.1.
+  OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019.
+  Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that 
+  distributors backport security fixes as the need arises.
+  Fetchmail will also warn if another SSL library that is API-compatible
+  with OpenSSL lacks TLS v1.3 support.
+
 fetchmail-6.4.2 (released 2020-02-14, 27473 LoC):
 
 ## BREAKING CHANGES:
diff --git a/README.SSL b/README.SSL
index 9111cf62..6c85eb38 100644
--- a/README.SSL
+++ b/README.SSL
@@ -27,9 +27,9 @@ and v3 are broken.
 Quickstart
 ----------
 
-Use an up-to-date release of OpenSSL 1.0.2 or newer, so as to get
-TLSv1.2 support.  If possible, use a TLS1.3-enabled OpenSSL v1.1.1 or newer.
-Older OpenSSL versions are unsupported upstream, and fetchmail rejects them.
+Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get
+TLSv1.3 support.  Older OpenSSL versions are unsupported upstream, and 
+fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1.
 
 In all four examples below, the (--)sslcertck has become redunant
 since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
diff --git a/README.git b/README.git
index 1781c192..2ffb6799 100644
--- a/README.git
+++ b/README.git
@@ -12,7 +12,7 @@ The prerequisite packages are:
 - GNU m4
 - GNU bison
 - GNU flex >= 2.5.30
-- A TLSv1.2-capable OpenSSL version (>= 1.0.2)
+- A TLSv1.3-capable OpenSSL version (>= 1.1.1)
 
 After you have everything installed, type:
 
@@ -28,4 +28,4 @@ $ make
 (become root)
 # make install-strip
 
--- Matthias Andree, 2016-09-24
+-- Matthias Andree, 2020-03-30
diff --git a/README.packaging b/README.packaging
index d4f8bf47..819d0613 100644
--- a/README.packaging
+++ b/README.packaging
@@ -8,7 +8,8 @@ Greetings, dear packager!
 
 The bullet points below mention a few useful hints for package(r)s:
 
-- Fetchmail requires a somewhat recent OpenSSL v1.0.2.
+- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now
+  but assumes the distributor backports security fixes for it.
 
 - Fetchmail now uses automake and supports all common automake targets and 
   overrides such as "make install-strip" or "DESTDIR=..." for staging areas.
diff --git a/configure.ac b/configure.ac
index 31373d2a..f1a58c3a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -799,6 +799,9 @@ else
 fi
 
 case "$LIBS" in *-lssl*)
+	AC_CHECK_DECLS([TLS1_3_VERSION],,
+		       AC_MSG_WARN([Your OpenSSL version is too old and does not support TLS v1.3. Upgrade.]),
+		       [#include <openssl/ssl.h>])
 	AC_CHECK_DECLS([TLS1_2_VERSION],,
 		       AC_MSG_ERROR([Your OpenSSL version is too old and does not support TLS v1.2. Upgrade.]),
 		       [#include <openssl/ssl.h>])
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 5b9a1203..58e89e72 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -2070,7 +2070,7 @@ SSL?</a></h2>
 
 <p>You'll need to have the <a
 href="https://www.openssl.org/">OpenSSL</a> libraries installed, and they
-should at least be version 1.0.2.
+should at least be version 1.1.1.
 Configure with --with-ssl (default since fetchmail v6.4.0). If you have the OpenSSL libraries
 installed in commonly-used default locations, this will
 suffice. If you have them installed in a non-default location,
@@ -2459,14 +2459,14 @@ applications linked against older OpenSSL versions.</p>
 <p>Note: OpenSSL's <code>c_rehash</code> script is broken in several versions,
 which can cause malfunction if several OpenSSL tools versions are installed in
 parallel in separate directories. In such cases, you may need a workaround to
-get things going. Assuming your OpenSSL 1.0.2 is installed in
-<code>/opt/openssl1.0.2</code> and your certificates are in
+get things going. Assuming your OpenSSL 1.1.1 is installed in
+<code>/opt/openssl1.1.1</code> and your certificates are in
 <code>/home/hans/certs</code>, you'd do this (the corresponding fetchmail
 option is <kbd>--sslcertpath /home/hans/certs</kbd> on the commandline and
 <kbd>sslcertpath /home/hans/cert</kbd> in the rcfile):</p>
 
 <pre>
-env PATH=/opt/openssl1.0.2/bin /opt/openssl1.0.2/bin/c_rehash /home/hans/certs
+env PATH=/opt/openssl1.1.1/bin /opt/openssl1.1.1/bin/c_rehash /home/hans/certs
 </pre>
 
 <h2><a id="R15" name="R15">R15. Help, I'm getting Authorization failure!</a></h2>
diff --git a/fetchmail.c b/fetchmail.c
index 69d80e23..c74d553c 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -272,6 +272,12 @@ int main(int argc, char **argv)
 	"-SSLv3"
 #endif
 #endif
+#ifndef HAVE_DECL_TLS1_2_VERSION
+	"-TLS1.2"
+#endif
+#ifndef HAVE_DECL_TLS1_2_VERSION
+	"-TLS1.3"
+#endif
 #ifdef OPIE_ENABLE
 	"+OPIE"
 #endif /* OPIE_ENABLE */
diff --git a/socket.c b/socket.c
index b442e5f9..c2f6fc7a 100644
--- a/socket.c
+++ b/socket.c
@@ -393,6 +393,10 @@ va_dcl {
 #pragma message "WARNING - LibreSSL is unsupported. Use at your own risk."
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
+#pragma message "WARNING - OpenSSL SHOULD be at least version 1.1.1."
+#endif
+
 #if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER
 #error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported.
 #else