aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-FAQ.html
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2015-01-17 01:15:31 +0100
committerMatthias Andree <matthias.andree@gmx.de>2015-01-26 09:45:24 +0100
commitc72743cf6139d6906337ddeac964eb79f644097e (patch)
treed3ad37c05dc2c3b1085904039958a510a6dc0a86 /fetchmail-FAQ.html
parent07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff)
downloadfetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip
TLS overhaul, bumping version to 6.4
Removes SSLv2, enables TLSv1.1 and v1.2 more easily, permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS. Only negotiates TLSv1 and newer by default, SSLv3 must now be specified explicitly, as a consequence of the POODLE attack. This is meant to be a minimally upgraded version, and cannot be usefully done as a 6.3.X release. It is strongly recommended that users review their configuration - especially --sslproto - per instructions in the NEWS file and manual page. It has changed semantics and in many cases --sslproto auto or perhaps --sslproto tls1.2+ should be used now.
Diffstat (limited to 'fetchmail-FAQ.html')
-rw-r--r--fetchmail-FAQ.html29
1 files changed, 17 insertions, 12 deletions
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 21173f7a..401f9a41 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -667,8 +667,8 @@ because there is not currently a standard way to do this; fetchmail
also uses this method, so the two will interoperate happily. They
better, because this is how Craig gets his mail ;-)</p>
-<p>Finally, you can use <a href="#K5">SSL</a> for complete
-end-to-end encryption if you have an SSL-enabled mailserver.</p>
+<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
+end-to-end encryption if you have a TLS-enabled mailserver.</p>
<h2><a id="G11" name="G11">G11. Is any special configuration needed
to use a dynamic IP address?</a></h2>
@@ -2120,7 +2120,7 @@ SSL?</a></h2>
<p>You'll need to have the <a
href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
-should at least be version 0.9.7.
+should at least be version 0.9.8, with 1.0.1 preferred.
Configure with --with-ssl. If you have the OpenSSL libraries
installed in commonly-used default locations, this will
suffice. If you have them installed in a non-default location,
@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
<p>Fetchmail binaries built this way support <code>ssl</code>,
<code>sslkey</code>, and <code>sslcert</code> options that control
SSL encryption, and will automatically use <code>tls</code> if the
-server offers it. You will need to have an SSL-enabled mailserver to
+server offers it. You will need to have an SSL/TLS-enabled mailserver to
use these options. See the manual page for details and some words
of care on the limited security provided.</p>
@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s_client -connect %h:%p"
protocol imap username MYUSERNAME password MYPASSWORD
</pre>
-<p>You should note that SSL is only secure against a "man-in-the-middle"
-attack if the client is able to verify that the peer's public key is the
-correct one, and has not been substituted by an attacker. fetchmail can do
-this in one of two ways: by verifying the SSL certificate, or by checking
-the fingerprint of the peer's public key.</p>
+<p>You should note that SSL or TLS are only secure against a
+"man-in-the-middle" attack if the client is able to verify that the
+peer's public key is the correct one, and has not been substituted by an
+attacker. fetchmail can do this in one of two ways: by verifying the SSL
+certificate, or by checking the fingerprint of the peer's public
+key.</p>
-<p>There are three parts to SSL certificate verification: checking that the
+<p>There are three parts to TLS certificate verification: checking that the
domain name in the certificate matches the hostname you asked to connect to;
checking that the certificate expiry date has not passed; and checking that
the certificate has been signed by a known Certificate Authority (CA). This
@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiation if SSL was enabled at compile
time. This can however cause problems if the upstream didn't configure
his certificates properly.</p>
-<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
-negotiation, add this option:</p>
+<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
+STLS or STARTTLS negotiation, add this option:</p>
+<pre>sslproto ''</pre>
+
+<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
+negotiation where the above does not work, try this option:</p>
<pre>sslproto ssl23</pre>