aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2015-11-15 12:07:02 +0100
committerMatthias Andree <matthias.andree@gmx.de>2015-11-15 12:07:02 +0100
commit6adcb0cc60e672ea36e3044451c9683b2eb49d64 (patch)
tree2697341bdd9f0e3811c70421770a9cb94671c51d /NEWS
parent9be5aeaeba1041e7cce034832dace6c0f0b64c82 (diff)
downloadfetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.gz
fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.bz2
fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.zip
Enable --sslcertck by default.
There are no sslcertck (rcfile) and --nosslcertck (command line) options that can be combined with [--]sslfingerprint if so desired. The documentation is deliberately not updated everywhere, so that recommendations to use --sslcertck stand, this is for the benefit of users that read fetchmail v6.4.0 manuals to configure a fetchmail v6.3.X implementation.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS23
1 files changed, 15 insertions, 8 deletions
diff --git a/NEWS b/NEWS
index cc925786..d67d49f8 100644
--- a/NEWS
+++ b/NEWS
@@ -61,14 +61,15 @@ fetchmail-6.4.0 (not yet released):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.
-## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION
+## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION
* Fetchmail no longer supports SSLv2.
+
* Fetchmail no longer attempts to negotiate SSLv3 by default,
even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
- TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the
- OpenSSL version used at build and run-time supports these versions, --sslproto
- ssl3 can be used to enable this specific version. Doing so is discouraged
- because these protocols are broken.
+ TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with
+ STARTTLS). If the OpenSSL version used at build and run-time supports these
+ versions, --sslproto ssl3 and --sslproto ssl3+ can be used to re-enable SSLv3.
+ Doing so is discouraged because these SSLv3 protocol is broken.
Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843.
@@ -77,14 +78,20 @@ fetchmail-6.4.0 (not yet released):
ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and
TLSv1.2 on systems with OpenSSL 1.0.1 or newer.
- The --sslproto option now understands the values auto, tls1+, tls1.1+,
- tls1.2+ (case insensitively).
+ The --sslproto option now understands the values auto, ssl3+, tls1+, tls1.1,
+ tls1.1+, tls1.2, tls1.2+ (case insensitively).
+
+* Fetchmail defaults to --sslcertck behaviour. A new option --nosslcertck to
+ override this has been added, but may be removed in future fetchmail versions
+ in favour of another configuration option that makes the insecurity in using
+ this option clearer.
## CHANGES
* fetchmail 6.3.X is unsupported.
* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23).
* --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a
- minimum specified TLS protocol version.
+ minimum specified TLS protocol version, and --sslproto tls1.1 and --sslproto
+ tls1.2 to force the specified TLS protocol version.
* Fetchmail now detects if the server hangs up prematurely during SSL_connect()
and reports this condition as such, and not just as SSL connection failure.
(OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert).