Log opportunistic TLS upgrades in verbose mode.

svn path=/branches/BRANCH_6-3/; revision=4881
author: Matthias Andree <matthias.andree@gmx.de> 2006-08-07 08:51:57 +0000
committer: Matthias Andree <matthias.andree@gmx.de> 2006-08-07 08:51:57 +0000
commit: 87b354e857e98da2f8b60d09e7e0d174a2f1bda9 (patch)
tree: b26cb8833d7bcb321147be297ee39f9b38ea88c8
parent: c37b5d80dcbc0b30427ac7671b9eccd8856b1579 (diff)
download: fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.tar.gz
fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.tar.bz2
fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.zip
5 files changed, 25 insertions, 14 deletions
diff --git a/NEWS b/NEWS
index f278b29a..f717d1c8 100644
--- a/NEWS
+++ b/NEWS
@@ -104,6 +104,8 @@ fetchmail 6.3.5 (not yet released):
 * Keep syslog output at one line per message (this works if no errors occur).
 * Track getaddrinfo() results to properly free them after timeouts,
   reported by Uli Zappe.  This MIGHT fix Debian Bug#294547 and Bug#377135.
+* Fetchmail in verbose mode now logs if it opportunistically upgrades a POP3
+  or IMAP connection to TLS security with STLS/STARTTLS.
 
 # CHANGES:
 * Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes
diff --git a/TODO.txt b/TODO.txt
index f8993ce4..fed38769 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -1,5 +1,3 @@
-- log/print warning if fetchmail uses TLS without configuration,
-  to avoid users being surprised (see Debian Bug#294547).
 - allow full user@domain mappings in multidrop matching
   (is this perhaps a 6.4.0 issue?) see Andrew Longland-Meech's
   multidrop problems on fetchmail-users
diff --git a/fetchmail.man b/fetchmail.man
index 648f7e1b..adab35cc 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -401,12 +401,14 @@ server.  This can cause some complications in daemon mode.
 .TP
 .B \-\-sslproto <name>
 (Keyword: sslproto)
-Forces an SSL protocol. Possible values are '\fBssl2\fR',
+Forces an SSL or TLS protocol. Possible values are '\fBssl2\fR',
 \&'\fBssl3\fR', '\fBssl23\fR', and '\fBtls1\fR'. Try this if the default
 handshake does not work for your server. To defeat automatic TLSv1
 negotiation when the server advertises STARTTLS or STLS, use \fB''\fR or
-\&'\fBssl23\fR'. The default is to try appropriate protocols depending
-on context.
+\&'\fBssl23\fR'. This option, even if the argument is the empty string,
+will also suppress the diagnostic 'SERVER: opportunistic upgrade to
+TLS.' message in verbose mode. The default is to try appropriate
+protocols depending on context.
 .TP
 .B \-\-sslcertck
 (Keyword: sslcertck)
diff --git a/imap.c b/imap.c
index 5fe6bc10..d1ee1c2b 100644
--- a/imap.c
+++ b/imap.c
@@ -391,7 +391,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
             * not other SSL protocols
             */
            if (ok == PS_SUCCESS &&
-	       SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
+	       SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck,
+		   ctl->sslcertpath,ctl->sslfingerprint,
+		   realhost,ctl->server.pollname) == -1)
            {
 	       if (!ctl->sslproto && !ctl->wehaveauthed)
 	       {
@@ -402,7 +404,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
                report(stderr,
                       GT_("SSL connection failed.\n"));
                return PS_SOCKET;
-           }
+           } else {
+	       if (outlevel >= O_VERBOSE && !ctl->sslproto)
+		   report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost);
+	   }
 	   did_stls = TRUE;
 
 	   /*
diff --git a/pop3.c b/pop3.c
index fd5b1304..e32103d7 100644
--- a/pop3.c
+++ b/pop3.c
@@ -449,21 +449,25 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
            ok = gen_transact(sock, "STLS");
 
            /* We use "tls1" instead of ctl->sslproto, as we want STLS,
-            * not other SSL protocols
-            */
+            * not other SSL protocols */
 	   if (ok == PS_SUCCESS &&
-	       SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
+	       SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck,
+		   ctl->sslcertpath,ctl->sslfingerprint,
+		   realhost,ctl->server.pollname) == -1)
 	   {
 	       if (!ctl->sslproto && !ctl->wehaveauthed)
 	       {
 		   ctl->sslproto = xstrdup("");
-		   /* repoll immediately */
-		   return(PS_REPOLL);
+		   /* repoll immediately without TLS */
+		   return PS_REPOLL;
 	       }
 	       report(stderr,
 		       GT_("SSL connection failed.\n"));
-		return PS_SOCKET;
-	    }
+	       return PS_SOCKET;
+	   } else {
+	       if (outlevel >= O_VERBOSE && !ctl->sslproto)
+		   report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost);
+	   }
 	   did_stls = TRUE;
 
 	   /*
author	Matthias Andree <matthias.andree@gmx.de>	2006-08-07 08:51:57 +0000
committer	Matthias Andree <matthias.andree@gmx.de>	2006-08-07 08:51:57 +0000
commit	87b354e857e98da2f8b60d09e7e0d174a2f1bda9 (patch)
tree	b26cb8833d7bcb321147be297ee39f9b38ea88c8
parent	c37b5d80dcbc0b30427ac7671b9eccd8856b1579 (diff)
download	fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.tar.gz fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.tar.bz2 fetchmail-87b354e857e98da2f8b60d09e7e0d174a2f1bda9.zip