aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2023-01-04 11:46:02 +0100
committerMatthias Andree <matthias.andree@gmx.de>2023-01-04 11:59:10 +0100
commitf827307079714ea97e483942b25e3f6ab37cde8d (patch)
treec260bac0bd643b88f1313ac33c23a448c293f672
parente689287068d682c8be1aca8348d1f761015463b6 (diff)
downloadfetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.tar.gz
fetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.tar.bz2
fetchmail-f827307079714ea97e483942b25e3f6ab37cde8d.zip
Bump TLS provider library requirements again.
-rw-r--r--INSTALL6
-rw-r--r--NEWS3
-rw-r--r--README.SSL8
-rw-r--r--socket.c9
4 files changed, 16 insertions, 10 deletions
diff --git a/INSTALL b/INSTALL
index 74a15823..5554cc83 100644
--- a/INSTALL
+++ b/INSTALL
@@ -29,10 +29,12 @@ This affects, f.i., LibreSSL, unless it is part of the operating system
(f. i., on OpenBSD). However, LibreSSL diverges from OpenSSL and is
not supported by the fetchmail maintainer.
-Since 6.4.27, there is experimental support for wolfSSL 5.1.1 or newer,
+Since 6.4.27, there has been experimental support for wolfSSL 5.1.1 or newer,
which is under GNU GPL v2 or later license and hence may be easier for
a consistent GPLv2+ licensing of fetchmail. This support requires a C99
-or newer compiler.
+or newer compiler, and requires up-to-date wolfSSL versions as wolfSSL keeps
+fixing vulnerabilities in newer version, so new fetchmail releases will
+consistently raise the bar on wolfSSL version.
Choose between OpenSSL or wolfSSL.
diff --git a/NEWS b/NEWS
index abb4d2bb..cc75fef4 100644
--- a/NEWS
+++ b/NEWS
@@ -104,7 +104,8 @@ fetchmail-6.4.35 (not yet released):
# BREAKING CHANGES:
* Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7,
- and rejects wolfSSL older than 5.4.0.
+ and rejects wolfSSL older than 5.5.0.
+
--------------------------------------------------------------------------------
fetchmail-6.4.34 (released 2022-10-15, 31701 LoC):
diff --git a/README.SSL b/README.SSL
index bcc2070a..7f9055c1 100644
--- a/README.SSL
+++ b/README.SSL
@@ -21,7 +21,7 @@ below and in the manual).
fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
-Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.4.0 or newer.
+Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.5.3 or newer.
Note that WolfSSL 5 is a bit less flexible about its trust store,
see INSTALL chapter 2.1 for details.
@@ -29,16 +29,16 @@ Note that many messages printed by fetchmail will print "OpenSSL"
even if wolfSSL is being used. Reason is that fetchmail uses
wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API.
- -- Matthias Andree, 2022-11-01
+ -- Matthias Andree, 2023-01-04
Quickstart
----------
-Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.4 or
+Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.5 or
newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions
are unsupported upstream, and fetchmail rejects versions before v1.0.2f and
-warns about versions before v1.1.1.
+warns about versions before v1.1.1q or 3.0.7.
wolfSSL needs to be configured with --enable-opensslall --enable-harden,
else some required OpenSSL APIs are missing, especially for SNI (server name
diff --git a/socket.c b/socket.c
index 67fdea57..e2058eee 100644
--- a/socket.c
+++ b/socket.c
@@ -2,7 +2,7 @@
* socket.c -- socket library functions
*
* Copyright 1998 - 2004 by Eric S. Raymond.
- * Copyright 2004 - 2020 by Matthias Andree.
+ * Copyright 2004 - 2023 by Matthias Andree.
* Contributions by Alexander Bluhm, Earl Chew, John Beck.
* For license terms, see the file COPYING in this directory.
@@ -414,8 +414,11 @@ va_dcl {
#endif
#ifdef USING_WOLFSSL
-# if LIBWOLFSSL_VERSION_HEX < 0x05004000L
-# error "FAILED - wolfSSL MUST be at least version 5.4.0."
+# if LIBWOLFSSL_VERSION_HEX < 0x05005001L
+# error "FAILED - wolfSSL MUST be at least version 5.5.1. You have " LIBWOLFSSL_VERSION_STRING "."
+# endif
+# if LIBWOLFSSL_VERSION_HEX < 0x05005003L
+# pragma message "WARNING - wolfSSL SHOULD be at least version 5.5.3. You have " LIBWOLFSSL_VERSION_STRING "."
# endif
#else /* !USING_WOLFSSL */
#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */