diff options
author | Matthias Andree <matthias.andree@gmx.de> | 2015-11-15 12:07:02 +0100 |
---|---|---|
committer | Matthias Andree <matthias.andree@gmx.de> | 2015-11-15 12:07:02 +0100 |
commit | 6adcb0cc60e672ea36e3044451c9683b2eb49d64 (patch) | |
tree | 2697341bdd9f0e3811c70421770a9cb94671c51d /NEWS | |
parent | 9be5aeaeba1041e7cce034832dace6c0f0b64c82 (diff) | |
download | fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.gz fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.bz2 fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.zip |
Enable --sslcertck by default.
There are no sslcertck (rcfile) and --nosslcertck (command line) options
that can be combined with [--]sslfingerprint if so desired.
The documentation is deliberately not updated everywhere, so that
recommendations to use --sslcertck stand, this is for the benefit of
users that read fetchmail v6.4.0 manuals to configure a fetchmail v6.3.X
implementation.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 23 |
1 files changed, 15 insertions, 8 deletions
@@ -61,14 +61,15 @@ fetchmail-6.4.0 (not yet released): # NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO. * They have stopped accepting submissions and consider themselves an archive. -## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION +## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION * Fetchmail no longer supports SSLv2. + * Fetchmail no longer attempts to negotiate SSLv3 by default, even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer - TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the - OpenSSL version used at build and run-time supports these versions, --sslproto - ssl3 can be used to enable this specific version. Doing so is discouraged - because these protocols are broken. + TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with + STARTTLS). If the OpenSSL version used at build and run-time supports these + versions, --sslproto ssl3 and --sslproto ssl3+ can be used to re-enable SSLv3. + Doing so is discouraged because these SSLv3 protocol is broken. Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843. @@ -77,14 +78,20 @@ fetchmail-6.4.0 (not yet released): ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and TLSv1.2 on systems with OpenSSL 1.0.1 or newer. - The --sslproto option now understands the values auto, tls1+, tls1.1+, - tls1.2+ (case insensitively). + The --sslproto option now understands the values auto, ssl3+, tls1+, tls1.1, + tls1.1+, tls1.2, tls1.2+ (case insensitively). + +* Fetchmail defaults to --sslcertck behaviour. A new option --nosslcertck to + override this has been added, but may be removed in future fetchmail versions + in favour of another configuration option that makes the insecurity in using + this option clearer. ## CHANGES * fetchmail 6.3.X is unsupported. * Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23). * --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a - minimum specified TLS protocol version. + minimum specified TLS protocol version, and --sslproto tls1.1 and --sslproto + tls1.2 to force the specified TLS protocol version. * Fetchmail now detects if the server hangs up prematurely during SSL_connect() and reports this condition as such, and not just as SSL connection failure. (OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert). |