aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2015-01-17 01:15:31 +0100
committerMatthias Andree <matthias.andree@gmx.de>2015-01-26 09:45:24 +0100
commitc72743cf6139d6906337ddeac964eb79f644097e (patch)
treed3ad37c05dc2c3b1085904039958a510a6dc0a86 /README.SSL
parent07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff)
downloadfetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip
TLS overhaul, bumping version to 6.4
Removes SSLv2, enables TLSv1.1 and v1.2 more easily, permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS. Only negotiates TLSv1 and newer by default, SSLv3 must now be specified explicitly, as a consequence of the POODLE attack. This is meant to be a minimally upgraded version, and cannot be usefully done as a 6.3.X release. It is strongly recommended that users review their configuration - especially --sslproto - per instructions in the NEWS file and manual page. It has changed semantics and in many cases --sslproto auto or perhaps --sslproto tls1.2+ should be used now.
Diffstat (limited to 'README.SSL')
-rw-r--r--README.SSL31
1 files changed, 20 insertions, 11 deletions
diff --git a/README.SSL b/README.SSL
index 930da8bb..f3e14fb7 100644
--- a/README.SSL
+++ b/README.SSL
@@ -11,36 +11,45 @@ specific to fetchmail.
In case of troubles, mail the README.SSL-SERVER file to your ISP and
have them check their server configuration against it.
-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether
-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is
-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot
-be fixed in a bugfix release.
+Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
+service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
+or is totally SSL-wrapped on a separate port. For compatibility
+reasons, this cannot be fixed in a bugfix or minor release.
- -- Matthias Andree, 2009-05-09
+Also, fetchmail 6.4.0 and newer releases changed some of the semantics
+as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
+If your server does not support this, you may have to specify --sslproto
+ssl3. This is in order to prefer the newer TLS protocols, because SSLv2
+and v3 are broken.
+
+ -- Matthias Andree, 2015-01-16
Quickstart
----------
+Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
+TLSv1.2 support.
+
For use of SSL or TLS with in-band negotiation on the regular service's port,
i. e. with STLS or STARTTLS, use these command line options
- --sslproto tls1 --sslcertck
+ --sslproto auto --sslcertck
or these options in the rcfile (after the respective "user"... options)
- sslproto tls1 sslcertck
+ sslproto auto sslcertck
For use of SSL or TLS on a separate port, if the whole TCP connection is
-SSL-encrypted from the very beginning, use these command line options (in the
-rcfile, omit all leading "--"):
+SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
+command line options (in the rcfile, omit all leading "--"):
- --ssl --sslproto ssl3 --sslcertck
+ --ssl --sslproto auto --sslcertck
or these options in the rcfile (after the respective "user"... options)
- ssl sslproto ssl3 sslcertck
+ ssl sslproto auto sslcertck
Background and use (long version :-))