diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2015-01-17 01:15:31 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2015-01-26 09:45:24 +0100 |
| commit | c72743cf6139d6906337ddeac964eb79f644097e (patch) | |
| tree | d3ad37c05dc2c3b1085904039958a510a6dc0a86 /imap.c | |
| parent | 07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff) | |
| download | fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2 fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip | |
TLS overhaul, bumping version to 6.4
Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.
This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.
It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page. It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
Diffstat (limited to 'imap.c')
| -rw-r--r-- | imap.c | 36 |
1 files changed, 19 insertions, 17 deletions
@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) /* apply for connection authorization */ { int ok = 0; + char *commonname; + (void)greeting; /* @@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) return(PS_SUCCESS); } -#ifdef SSL_ENABLE - if (maybe_tls(ctl)) { - char *commonname; - - commonname = ctl->server.pollname; - if (ctl->server.via) - commonname = ctl->server.via; - if (ctl->sslcommonname) - commonname = ctl->sslcommonname; + commonname = ctl->server.pollname; + if (ctl->server.via) + commonname = ctl->server.via; + if (ctl->sslcommonname) + commonname = ctl->sslcommonname; - if (strstr(capabilities, "STARTTLS") - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ +#ifdef SSL_ENABLE + if (maybe_starttls(ctl)) { + if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) + || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ { - /* Use "tls1" rather than ctl->sslproto because tls1 is the only - * protocol that will work with STARTTLS. Don't need to worry - * whether TLS is mandatory or opportunistic unless SSLOpen() fails - * (see below). */ + /* Don't need to worry whether TLS is mandatory or + * opportunistic unless SSLOpen() fails (see below). */ if (gen_transact(sock, "STARTTLS") == PS_SUCCESS - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, ctl->server.pollname, &ctl->remotename)) != -1) { @@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) { report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); } - } else if (must_tls(ctl)) { + } else if (must_starttls(ctl)) { /* Config required TLS but we couldn't guarantee it, so we must * stop. */ set_timeout(0); @@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) /* Usable. Proceed with authenticating insecurely. */ } } + } else { + if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { + report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); + } } #endif /* SSL_ENABLE */ |