diff options
author | Matthias Andree <matthias.andree@gmx.de> | 2023-01-04 11:46:02 +0100 |
---|---|---|
committer | Matthias Andree <matthias.andree@gmx.de> | 2023-01-04 11:59:10 +0100 |
commit | f827307079714ea97e483942b25e3f6ab37cde8d (patch) | |
tree | c260bac0bd643b88f1313ac33c23a448c293f672 | |
parent | e689287068d682c8be1aca8348d1f761015463b6 (diff) | |
download | fetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.tar.gz fetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.tar.bz2 fetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.zip |
Bump TLS provider library requirements again.
-rw-r--r-- | INSTALL | 6 | ||||
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | README.SSL | 8 | ||||
-rw-r--r-- | socket.c | 9 |
4 files changed, 16 insertions, 10 deletions
@@ -29,10 +29,12 @@ This affects, f.i., LibreSSL, unless it is part of the operating system (f. i., on OpenBSD). However, LibreSSL diverges from OpenSSL and is not supported by the fetchmail maintainer. -Since 6.4.27, there is experimental support for wolfSSL 5.1.1 or newer, +Since 6.4.27, there has been experimental support for wolfSSL 5.1.1 or newer, which is under GNU GPL v2 or later license and hence may be easier for a consistent GPLv2+ licensing of fetchmail. This support requires a C99 -or newer compiler. +or newer compiler, and requires up-to-date wolfSSL versions as wolfSSL keeps +fixing vulnerabilities in newer version, so new fetchmail releases will +consistently raise the bar on wolfSSL version. Choose between OpenSSL or wolfSSL. @@ -104,7 +104,8 @@ fetchmail-6.4.35 (not yet released): # BREAKING CHANGES: * Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7, - and rejects wolfSSL older than 5.4.0. + and rejects wolfSSL older than 5.5.0. + -------------------------------------------------------------------------------- fetchmail-6.4.34 (released 2022-10-15, 31701 LoC): @@ -21,7 +21,7 @@ below and in the manual). fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. -Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.4.0 or newer. +Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.5.3 or newer. Note that WolfSSL 5 is a bit less flexible about its trust store, see INSTALL chapter 2.1 for details. @@ -29,16 +29,16 @@ Note that many messages printed by fetchmail will print "OpenSSL" even if wolfSSL is being used. Reason is that fetchmail uses wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API. - -- Matthias Andree, 2022-11-01 + -- Matthias Andree, 2023-01-04 Quickstart ---------- -Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.4 or +Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.5 or newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2f and -warns about versions before v1.1.1. +warns about versions before v1.1.1q or 3.0.7. wolfSSL needs to be configured with --enable-opensslall --enable-harden, else some required OpenSSL APIs are missing, especially for SNI (server name @@ -2,7 +2,7 @@ * socket.c -- socket library functions * * Copyright 1998 - 2004 by Eric S. Raymond. - * Copyright 2004 - 2020 by Matthias Andree. + * Copyright 2004 - 2023 by Matthias Andree. * Contributions by Alexander Bluhm, Earl Chew, John Beck. * For license terms, see the file COPYING in this directory. @@ -414,8 +414,11 @@ va_dcl { #endif #ifdef USING_WOLFSSL -# if LIBWOLFSSL_VERSION_HEX < 0x05004000L -# error "FAILED - wolfSSL MUST be at least version 5.4.0." +# if LIBWOLFSSL_VERSION_HEX < 0x05005001L +# error "FAILED - wolfSSL MUST be at least version 5.5.1. You have " LIBWOLFSSL_VERSION_STRING "." +# endif +# if LIBWOLFSSL_VERSION_HEX < 0x05005003L +# pragma message "WARNING - wolfSSL SHOULD be at least version 5.5.3. You have " LIBWOLFSSL_VERSION_STRING "." # endif #else /* !USING_WOLFSSL */ #define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ |