diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2015-01-17 01:15:31 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2015-01-26 09:45:24 +0100 |
| commit | c72743cf6139d6906337ddeac964eb79f644097e (patch) | |
| tree | d3ad37c05dc2c3b1085904039958a510a6dc0a86 /README.SSL | |
| parent | 07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff) | |
| download | fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2 fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip | |
TLS overhaul, bumping version to 6.4
Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.
This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.
It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page. It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
Diffstat (limited to 'README.SSL')
| -rw-r--r-- | README.SSL | 31 |
1 files changed, 20 insertions, 11 deletions
@@ -11,36 +11,45 @@ specific to fetchmail. In case of troubles, mail the README.SSL-SERVER file to your ISP and have them check their server configuration against it. -Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether -a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is -totally SSL-wrapped on a separate port. For compatibility reasons, this cannot -be fixed in a bugfix release. +Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a +service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) +or is totally SSL-wrapped on a separate port. For compatibility +reasons, this cannot be fixed in a bugfix or minor release. - -- Matthias Andree, 2009-05-09 +Also, fetchmail 6.4.0 and newer releases changed some of the semantics +as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. +If your server does not support this, you may have to specify --sslproto +ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 +and v3 are broken. + + -- Matthias Andree, 2015-01-16 Quickstart ---------- +Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get +TLSv1.2 support. + For use of SSL or TLS with in-band negotiation on the regular service's port, i. e. with STLS or STARTTLS, use these command line options - --sslproto tls1 --sslcertck + --sslproto auto --sslcertck or these options in the rcfile (after the respective "user"... options) - sslproto tls1 sslcertck + sslproto auto sslcertck For use of SSL or TLS on a separate port, if the whole TCP connection is -SSL-encrypted from the very beginning, use these command line options (in the -rcfile, omit all leading "--"): +SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these +command line options (in the rcfile, omit all leading "--"): - --ssl --sslproto ssl3 --sslcertck + --ssl --sslproto auto --sslcertck or these options in the rcfile (after the respective "user"... options) - ssl sslproto ssl3 sslcertck + ssl sslproto auto sslcertck Background and use (long version :-)) |