Update SSL configure instructions and license info.

4 files changed, 53 insertions, 16 deletions

diff --git a/COPYING b/COPYING
index c22cfdff..9b414c84 100644
--- a/COPYING
+++ b/COPYING
@@ -11,27 +11,53 @@ Carl E. Harris, George M. Sipe, Graham Wilson, Matthias Andree and Sunil Shetye.
 
 SSL library considerations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
-If linking against OpenSSL versions under dual OpenSSL/SSLeay license (f. i. 
-OpenSSL 1.1.1x and older) is enabled at configure/compile time, the 
+If linking against OpenSSL versions under dual OpenSSL/SSLeay license (f. i.
+OpenSSL 1.1.1x and older) is enabled at configure/compile time, the
 following clause applies:
 | This product includes software developed by the OpenSSL Project
 | for use in the OpenSSL Toolkit. (http://www.openssl.org/)
 
+|Linking fetchmail statically or dynamically with other modules is making
+|a combined work based on fetchmail. Thus, the terms and conditions
+|of the GNU General Public License cover the whole combination.
+|
+|In addition, as a special exception, the copyright holders of fetchmail
+|give you permission to combine fetchmail with free
+|software programs or libraries that are released under the GNU LGPL and with
+|code included in the standard release of OpenSSL under the OpenSSL or SSLeay license
+|(or modified versions of such code, with unchanged license).
+|
+|You may copy and distribute such a system following the terms of the GNU GPL
+|for fetchmail and the licenses of the other code concerned,
+|provided that you include the source code of that other code when and as the
+|GNU GPL requires distribution of source code.
+|
+|Note that people who make modified versions of fetchmail are not obligated to
+|grant this special exception for their modified versions; it is their choice
+|whether to do so. The GNU General Public License gives permission to release
+|a modified version without this exception; this exception also makes it
+|possible to release a modified version which carries forward this exception.
+|
+|In short:
 Specific permission is granted for the GPLed code in this distribution to
 be linked to OpenSSL without invoking GPL clause 2(b).
 
 Note that this permission applies to OpenSSL, and OpenSSL only.
 
+The Free Software Foundation asserts that a GPL v2 clause 2b exception is
+required even for dynamically linked binaries. See
+https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic
 
-If linking against OpenSSL versions licensed under the Apache License version 
+
+If linking against OpenSSL versions licensed under the Apache License version
 2.0 (for instance, OpenSSL 3.0.x), note that this library is incompatible with
-the GPLv2, so that effectively, distributors need to pull the "or any later version"
+the GPLv2, so that effectively, distributors need to use the "or any later version"
 grant in the GPLv2 and apply the GPLv3 which is considered compatible with the
 Apache License 2.0 by the FSF and the ASF.
 
 
-Fetchmail can be linked against wolfSSL, which is under GNU General Public License v2,
-or optionally, any later version.
+Fetchmail can be linked against wolfSSL,
+which is under GNU General Public License v2, or optionally, any later version.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The support for SMB authentication is copyright by Andrew Tridgell and
@@ -69,7 +95,7 @@ Stenberg and also under a liberal license:
  | MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHORS AND
  | CONTRIBUTORS ACCEPT NO RESPONSIBILITY IN ANY CONCEIVABLE MANNER.
 
-The libesmtp/* files functions are (C) by Brian Stafford, see the respective 
+The libesmtp/* files functions are (C) by Brian Stafford, see the respective
 file headers for details (LGPL v2.1 or later).
 
 The KAME/* files are (C) Copyright (C) 1995, 1996, 1997, and 1998 WIDE
diff --git a/INSTALL b/INSTALL
index 32f27233..298d1694 100644
--- a/INSTALL
+++ b/INSTALL
@@ -95,14 +95,23 @@ When using OpenSSL:
 
   ./configure
 
-When using wolfSSL (adjust the location, see below):
+  It is possible to either specify the install path, or pkg-config
+  module name, with --with-ssl, examples:
+
+  ./configure --with-ssl=/opt/openssl3
+
+  ./configure --with-ssl=eopenssl30
+
+When using wolfSSL (adjust the trust file location, see below):
 
   ./configure --with-wolfssl \
   WOLFSSL_TRUST_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 
 Here, you need to adjust the file path according to where your ca_cert_nss or
 ca-certificates package installs the default trust bundle in PEM format with
-BEGIN CERTIFICATE lines. Some typical locations as of 2021 are:
+BEGIN CERTIFICATE lines. wolfSSL 5.0.0 cannot parse BEGIN TRUSTED CERTIFICATE bundles.
+
+Some typical locations as of 2021 are:
 on Fedora Linux:  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 on Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt
 on FreeBSD:       /usr/local/share/certs/ca-root-nss.crt
diff --git a/NEWS b/NEWS
index ac5d087f..fc0eb60a 100644
--- a/NEWS
+++ b/NEWS
@@ -95,7 +95,7 @@ fetchmail-6.4.25 (not yet released):
 # BREAKING CHANGES
 * Since distributions continue patching for LibreSSL use, which cannot be
   linked legally, block out LibreSSL in configure.ac and socket.c, and
-  refer to COPYING.
+  refer to COPYING.  OpenSSL and wolfSSL 5 can be used.
 * Bump OpenSSL version requirement to 1.0.2f in order to safely remove
   the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix
   release, and 1.0.2u is publicly available from
@@ -108,8 +108,10 @@ fetchmail-6.4.25 (not yet released):
 
 # CHANGES
 * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
-  see README.SSL. This is considered experimental. Feedback solicited.
+  see INSTALL and README.SSL. This is considered experimental.
+  Feedback solicited.
 * The getstats.py dist-tool now counts lines of .ac and .am files.
+* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.
 
 --------------------------------------------------------------------------------
 fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
diff --git a/README.SSL b/README.SSL
index 63620b55..f5eca24f 100644
--- a/README.SSL
+++ b/README.SSL
@@ -22,8 +22,8 @@ below and in the manual).
 fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
 
 Fetchmail 6.4.25 supports OpenSSL 3.0 and 1.1.1 and WolfSSL 5.0.
-
-The configure options --with-wolfssl takes precedence over --with-ssl.
+Note that WolfSSL 5.0 is a bit less flexible about its trust store,
+see INSTALL chapter 2.1 for details.
 
 	-- Matthias Andree, 2021-11-20
 
@@ -46,7 +46,7 @@ since fetchmail v6.4.0, but since fetchmail 6.3 releases will be in circulation
 for too long, (--)sslcertck will remain in the examples below for now.
 
 For use of SSL or TLS on a separate port (recommended), called Implicit TLS,
-the whole TCP connection is SSL-encrypted from the very beginning (SSL- or 
+the whole TCP connection is SSL-encrypted from the very beginning (SSL- or
 TLS-wrapped), use these command line options (in the rcfile,
 omit all leading "--"):
 
@@ -57,8 +57,8 @@ or these options in the rcfile (after the respective "user"... options)
       ssl   sslproto tls1.2+   sslcertck
 
 
-For use of SSL or TLS with in-band negotiation on the regular service's port, 
-i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or 
+For use of SSL or TLS with in-band negotiation on the regular service's port,
+i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or
 ssl):
 
     --sslproto tls1.2+ --sslcertck