aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2022-04-23 10:08:21 +0200
committerMatthias Andree <matthias.andree@gmx.de>2022-04-23 12:16:22 +0200
commit8c2a94e94e0f76e2bb845f473be2e159ffd1be93 (patch)
treeef4cd5c87ff3be4cb59cca37f4598c167dcac74e
parent497f80ea2fbf0b2db24e35d2386a322f13a2a711 (diff)
downloadfetchmail-8c2a94e94e0f76e2bb845f473be2e159ffd1be93.tar.gz
fetchmail-8c2a94e94e0f76e2bb845f473be2e159ffd1be93.tar.bz2
fetchmail-8c2a94e94e0f76e2bb845f473be2e159ffd1be93.zip
Tighten SSL library version requirements, more warnings.
This is to emit warnings if the SSL library is older than the latest versions available at packaging time, except for LibreSSL which is unsupported anyways.
-rw-r--r--NEWS7
-rw-r--r--README.SSL6
-rw-r--r--socket.c20
3 files changed, 22 insertions, 11 deletions
diff --git a/NEWS b/NEWS
index f8d8cf9b..15936f30 100644
--- a/NEWS
+++ b/NEWS
@@ -95,6 +95,13 @@ removed from a 6.5.0 or newer release.)
--------------------------------------------------------------------------------
fetchmail-6.4.30 (not yet released)
+# BREAKING CHANGES:
+* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
+
+# CHANGES:
+* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
+* Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning.
+
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
diff --git a/README.SSL b/README.SSL
index 66dec822..d1d8f1bb 100644
--- a/README.SSL
+++ b/README.SSL
@@ -21,8 +21,8 @@ below and in the manual).
fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
-Fetchmail 6.4.25 supports OpenSSL 3.0 and 1.1.1 and WolfSSL 5.1.1 or newer.
-Note that WolfSSL 5.1 is a bit less flexible about its trust store,
+Fetchmail 6.4.25 supports OpenSSL 3.0.2 and 1.1.1n and WolfSSL 5.2.0 or newer.
+Note that WolfSSL 5.2 is a bit less flexible about its trust store,
see INSTALL chapter 2.1 for details.
Note that many messages printed by fetchmail will print "OpenSSL"
@@ -35,7 +35,7 @@ wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API.
Quickstart
----------
-Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or wolfSSL 5.1.1 or
+Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or wolfSSL 5.2.0 or
newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported
upstream, and fetchmail rejects versions before v1.0.2f and warns about
versions before v1.1.1.
diff --git a/socket.c b/socket.c
index bdf70fe3..a6354d5b 100644
--- a/socket.c
+++ b/socket.c
@@ -405,8 +405,6 @@ va_dcl {
#include <openssl/x509v3.h>
#include <openssl/rand.h>
-#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */
-
#ifdef LIBRESSL_VERSION_NUMBER
# ifdef __OpenBSD__
# pragma message "WARNING - Linking against LibreSSL, which is not a supported configuration."
@@ -416,13 +414,19 @@ va_dcl {
#endif
#ifdef USING_WOLFSSL
-# if LIBWOLFSSL_VERSION_HEX < 0x05001001L
-# error "FAILED - wolfSSL 5.1.1 or newer required."
-# endif
-#else /* USING_WOLFSSL */
-# if OPENSSL_VERSION_NUMBER < 0x1010100fL
-# pragma message "WARNING - OpenSSL SHOULD be at least version 1.1.1."
+# if LIBWOLFSSL_VERSION_HEX < 0x05002000L
+# error "FAILED - wolfSSL MUST be at least version 5.2.0."
# endif
+#else /* !USING_WOLFSSL */
+#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */
+# if OPENSSL_VERSION_NUMBER < 0x101010efL
+# pragma message "WARNING - OpenSSL 1.m.nx SHOULD be at least release version 1.1.1n, using " OPENSSL_VERSION_TEXT "."
+# endif /* 0xMNN00PPSL */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# if OPENSSL_VERSION_NUMBER < 0x30000020L
+# pragma message "WARNING - OpenSSL 3.m.n SHOULD be at least release version 3.0.2, using " OPENSSL_VERSION_TEXT "."
+# endif
+# endif /* 0xMNN00PPSL */
# if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER
# error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported.
# else /* OpenSSL too old */