aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail.man
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2015-11-15 12:07:02 +0100
committerMatthias Andree <matthias.andree@gmx.de>2015-11-15 12:07:02 +0100
commit6adcb0cc60e672ea36e3044451c9683b2eb49d64 (patch)
tree2697341bdd9f0e3811c70421770a9cb94671c51d /fetchmail.man
parent9be5aeaeba1041e7cce034832dace6c0f0b64c82 (diff)
downloadfetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.gz
fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.tar.bz2
fetchmail-6adcb0cc60e672ea36e3044451c9683b2eb49d64.zip
Enable --sslcertck by default.
There are no sslcertck (rcfile) and --nosslcertck (command line) options that can be combined with [--]sslfingerprint if so desired. The documentation is deliberately not updated everywhere, so that recommendations to use --sslcertck stand, this is for the benefit of users that read fetchmail v6.4.0 manuals to configure a fetchmail v6.3.X implementation.
Diffstat (limited to 'fetchmail.man')
-rw-r--r--fetchmail.man52
1 files changed, 35 insertions, 17 deletions
diff --git a/fetchmail.man b/fetchmail.man
index aa1aa75f..e75500a6 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -414,11 +414,9 @@ from. The folder information is written only since version 6.3.4.
(Keyword: ssl)
.br
Causes the connection to the mail server to be encrypted via SSL, by
-negotiating SSL directly after connecting (SSL-wrapped mode). It is
-highly recommended to use \-\-sslcertck to validate the certificates
-presented by the server. Please see the description of \-\-sslproto
-below! More information is available in the \fIREADME.SSL\fP file that
-ships with fetchmail.
+negotiating SSL directly after connecting (SSL-wrapped mode).
+Please see the description of \-\-sslproto below! More information is
+available in the \fIREADME.SSL\fP file that ships with fetchmail.
.IP
Note that even if this option is omitted, fetchmail may still negotiate
SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You
@@ -527,16 +525,17 @@ NOTE: you should hardly ever need to use anything other than '' (to
force an unencrypted connection) or 'auto' (to enforce TLS).
.TP
.B \-\-sslcertck
-(Keyword: sslcertck)
+(Keyword: sslcertck, default enabled since v6.4.0)
.br
-Causes fetchmail to require that SSL/TLS be used and disconnect if it
-can not successfully negotiate SSL or TLS, or if it cannot successfully
-verify and validate the certificate and follow it to a trust anchor (or
-trusted root certificate). The trust anchors are given as a set of local
-trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
-options). If the server certificate cannot be obtained or is not signed
-by one of the trusted ones (directly or indirectly), fetchmail will
-disconnect, regardless of the \fBsslfingerprint\fP option.
+.B \-\-sslcertck causes fetchmail to require that SSL/TLS be used and
+disconnect if it can not successfully negotiate SSL or TLS, or if it
+cannot successfully verify and validate the certificate and follow it to
+a trust anchor (or trusted root certificate). The trust anchors are
+given as a set of local trusted certificates (see the \fBsslcertfile\fP
+and \fBsslcertpath\fP options). If the server certificate cannot be
+obtained or is not signed by one of the trusted ones (directly or
+indirectly), fetchmail will disconnect, regardless of the
+\fBsslfingerprint\fP option.
.IP
Note that CRL (certificate revocation lists) are only supported in
OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
@@ -545,6 +544,13 @@ accurate when using this option.
Note that this optional behavior may become default behavior in future
fetchmail versions.
.TP
+.B \-\-nosslcertck
+(Keyword: no sslcertck, only in v6.4.X)
+.br
+The opposite of \-\-sslcertck, this is a disouraged option. It permits
+fetchmail to continue connecting even if the server certificate failed
+the verification checks. Should only be used together with
+\-\-sslfingerprint.
.B \-\-sslcertfile <file>
(Keyword: sslcertfile, since v6.3.17)
.br
@@ -603,12 +609,12 @@ fingerprint with the given one, and the connection will fail if they do not
match, regardless of the \fBsslcertck\fP setting. The connection will
also fail if fetchmail cannot obtain an SSL certificate from the server.
This can be used to prevent man-in-the-middle attacks, but the finger
-print from the server needs to be obtained or verified over a secure
+print from the server must be obtained or verified over a secure
channel, and certainly not over the same Internet connection that
fetchmail would use.
.IP
Using this option will prevent printing certificate verification errors
-as long as \-\-sslcertck is unset.
+as long as \-\-nosslcertck is in effect.
.IP
To obtain the fingerprint of a certificate stored in the file cert.pem,
try:
@@ -1281,7 +1287,7 @@ control file option is used, fetchmail will instead abort if any of
these checks fail, because it must assume that there is a
man-in-the-middle attack in this scenario, hence fetchmail must not
expose cleartext passwords. Use of the sslcertck or \-\-sslcertck option
-is therefore advised.
+is therefore advised; it has become the default in fetchmail 6.4.0.
.PP
Some SSL encrypted servers may request a client side certificate. A client
side public SSL certificate and private SSL key may be specified. If
@@ -1880,12 +1886,24 @@ T}
sslcert \& \& T{
Specify file for \fBclient side\fP public SSL certificate
T}
+sslcertck \& \& T{
+Enable strict certificate checking and abort connection on failure.
+T}
+no sslcertck \& \& T{
+Disable strict certificate checking and permit connections to continue
+on failed verification. Discouraged. Should only be used together with
+sslfingerprint.
+T}
sslcertfile \& \& T{
Specify file with trusted CA certificates
T}
sslcertpath \& \& T{
Specify c_rehash-ed directory with trusted CA certificates.
T}
+sslfingerprint <HASH> \& \& T{
+Specify the expected server certificat finger print. Fetchmail will
+disconnect and log an error if it does not match.
+T}
sslkey \& \& T{
Specify file for \fBclient side\fP private SSL key
T}