aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSunil Shetye <shetye@bombay.retortsoft.com>2010-11-11 11:49:21 +0530
committerMatthias Andree <matthias.andree@gmx.de>2010-11-19 12:17:37 +0100
commitd1a40cf7cefbffe5ae41612f60b176ad0fc59847 (patch)
tree232220661ed63456a4cd62ed253b30b4969509e8
parente5fd7d15fd251658aed0853aee117c672035b1c0 (diff)
downloadfetchmail-d1a40cf7cefbffe5ae41612f60b176ad0fc59847.tar.gz
fetchmail-d1a40cf7cefbffe5ae41612f60b176ad0fc59847.tar.bz2
fetchmail-d1a40cf7cefbffe5ae41612f60b176ad0fc59847.zip
Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory ignoring server capabilities
Diffstat
-rw-r--r--NEWS2
-rw-r--r--imap.c7
-rw-r--r--pop3.c7
3 files changed, 6 insertions, 10 deletions
diff --git a/NEWS b/NEWS
index 01cd2c0f..c9d08481 100644
--- a/NEWS
+++ b/NEWS
@@ -78,6 +78,8 @@ fetchmail-6.3.19 (not yet released):
* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
and Derek Simkowiak via the fetchmail-users@ mailing list.
+* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
+ server capabilities do not show support for upgradation to TLS. (Sunil Shetye)
# DOCUMENTATION:
* The manual page now links to IANA for GSSAPI service names.
diff --git a/imap.c b/imap.c
index cbaa913b..11b206c0 100644
--- a/imap.c
+++ b/imap.c
@@ -430,7 +430,8 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
if (ctl->sslcommonname)
commonname = ctl->sslcommonname;
- if (strstr(capabilities, "STARTTLS"))
+ if (strstr(capabilities, "STARTTLS")
+ || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
{
/* Use "tls1" rather than ctl->sslproto because tls1 is the only
* protocol that will work with STARTTLS. Don't need to worry
@@ -478,10 +479,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
}
/* Usable. Proceed with authenticating insecurely. */
}
- } else if (must_tls(ctl)) {
- /* Config required TLS but STARTTLS is not advertised. */
- report(stderr, GT_("%s: cannot upgrade to TLS: no STARTTLS in CAPABILITY response.\n"), commonname);
- return PS_SOCKET;
}
}
#endif /* SSL_ENABLE */
diff --git a/pop3.c b/pop3.c
index 21251e59..3e62d864 100644
--- a/pop3.c
+++ b/pop3.c
@@ -440,7 +440,8 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
if (ctl->sslcommonname)
commonname = ctl->sslcommonname;
- if (has_stls)
+ if (has_stls
+ || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
{
/* Use "tls1" rather than ctl->sslproto because tls1 is the only
* protocol that will work with STARTTLS. Don't need to worry
@@ -490,10 +491,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue.\n"), commonname);
}
}
- } else if (must_tls(ctl)) {
- /* Config required TLS but STLS is not advertised. */
- report(stderr, GT_("%s: cannot upgrade to TLS: no STLS in CAPA response.\n"), commonname);
- return PS_SOCKET;
}
} /* maybe_tls() */
#endif /* SSL_ENABLE */
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 15:12:39 +0000