diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-11-20 14:40:55 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-11-20 16:28:41 +0100 |
| commit | 8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50 (patch) | |
| tree | e0de0d444a5d9a81a39c368473ac9967c26a36c3 | |
| parent | 340d00bf9910ed55163be26435f70baf65a64f9d (diff) | |
| download | fetchmail-8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50.tar.gz fetchmail-8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50.tar.bz2 fetchmail-8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50.zip | |
OpenSSL: bump minimum required version to 1.0.2f
...in order to safely remove the obsolete OpenSSL flag
SSL_OP_SINGLE_DH_USE.
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | README.SSL | 2 | ||||
| -rw-r--r-- | README.packaging | 2 | ||||
| -rw-r--r-- | socket.c | 6 |
4 files changed, 10 insertions, 6 deletions
@@ -92,10 +92,14 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.25 (not yet released): -# CHANGES +# BREAKING CHANGES * Since distributions continue patching for LibreSSL use, which cannot be linked legally, block out LibreSSL in configure.ac and socket.c, and refer to COPYING. +* Bump OpenSSL version requirement to 1.0.2f in order to safely remove + the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix + release, and 1.0.2u is publicly available from + https://www.openssl.org/source/old/1.0.2/ -------------------------------------------------------------------------------- fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): @@ -31,7 +31,7 @@ Quickstart Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and -fetchmail rejects versions before v1.0.2 and warns about versions before +fetchmail rejects versions before v1.0.2f and warns about versions before v1.1.1. In all four examples below, the (--)sslcertck has become redundant diff --git a/README.packaging b/README.packaging index 819d0613..c2c798a6 100644 --- a/README.packaging +++ b/README.packaging @@ -8,7 +8,7 @@ Greetings, dear packager! The bullet points below mention a few useful hints for package(r)s: -- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now +- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2f for now but assumes the distributor backports security fixes for it. - Fetchmail now uses automake and supports all common automake targets and @@ -406,7 +406,7 @@ va_dcl { #include <openssl/x509v3.h> #include <openssl/rand.h> -#define fm_MIN_OPENSSL_VER 0x1000200fL +#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ #ifdef LIBRESSL_VERSION_NUMBER #error "FAILED - LibreSSL cannot be used legally, for lack of GPL clause 2b exception, see COPYING." @@ -417,7 +417,7 @@ va_dcl { #endif #if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER -#error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported. +#error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported. #else /* #define __fm_ossl_ver(x) #x @@ -1079,7 +1079,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck struct stat randstat; int i; int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - long sslopts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; + long sslopts = SSL_OP_ALL; int ssle_connect = 0; long ver; |