TLS overhaul, bumping version to 6.4

Removes SSLv2, enables TLSv1.1 and v1.2 more easily, permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS. Only negotiates TLSv1 and newer by default, SSLv3 must now be specified explicitly, as a consequence of the POODLE attack. This is meant to be a minimally upgraded version, and cannot be usefully done as a 6.3.X release. It is strongly recommended that users review their configuration - especially --sslproto - per instructions in the NEWS file and manual page. It has changed semantics and in many cases --sslproto auto or perhaps --sslproto tls1.2+ should be used now.
author: Matthias Andree <matthias.andree@gmx.de> 2015-01-17 01:15:31 +0100
committer: Matthias Andree <matthias.andree@gmx.de> 2015-01-26 09:45:24 +0100
commit: c72743cf6139d6906337ddeac964eb79f644097e (patch)
tree: d3ad37c05dc2c3b1085904039958a510a6dc0a86 /pop3.c
parent: 07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff)
download: fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2
fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip
1 files changed, 21 insertions, 21 deletions
diff --git a/pop3.c b/pop3.c
index 5549dc9a..907b6142 100644
--- a/pop3.c
+++ b/pop3.c
@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 #endif /* OPIE_ENABLE */
 #ifdef SSL_ENABLE
     flag connection_may_have_tls_errors = FALSE;
+    char *commonname;
 #endif /* SSL_ENABLE */
 
     done_capa = FALSE;
@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		(ctl->server.authenticate == A_KERBEROS_V5) ||
 		(ctl->server.authenticate == A_OTP) ||
 		(ctl->server.authenticate == A_CRAM_MD5) ||
-		maybe_tls(ctl))
+		maybe_starttls(ctl))
 	{
 	    if ((ok = capa_probe(sock)) != PS_SUCCESS)
 		/* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		    (ok == PS_SOCKET && !ctl->wehaveauthed))
 		{
 #ifdef SSL_ENABLE
-		    if (must_tls(ctl)) {
+		    if (must_starttls(ctl)) {
 			/* fail with mandatory STLS without repoll */
 			report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
 			report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
 			return ok;
-		    } else if (maybe_tls(ctl)) {
+		    } else if (maybe_starttls(ctl)) {
 			/* defeat opportunistic STLS */
 			xfree(ctl->sslproto);
 			ctl->sslproto = xstrdup("");
@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	}
 
 #ifdef SSL_ENABLE
-	if (maybe_tls(ctl)) {
-	    char *commonname;
-
-	    commonname = ctl->server.pollname;
-	    if (ctl->server.via)
-		commonname = ctl->server.via;
-	    if (ctl->sslcommonname)
-		commonname = ctl->sslcommonname;
-
-	   if (has_stls
-		   || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
+	commonname = ctl->server.pollname;
+	if (ctl->server.via)
+	    commonname = ctl->server.via;
+	if (ctl->sslcommonname)
+	    commonname = ctl->sslcommonname;
+
+	if (maybe_starttls(ctl)) {
+	   if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
 	   {
-	       /* Use "tls1" rather than ctl->sslproto because tls1 is the only
-		* protocol that will work with STARTTLS.  Don't need to worry
-		* whether TLS is mandatory or opportunistic unless SSLOpen() fails
-		* (see below). */
+	       /* Don't need to worry whether TLS is mandatory or
+		* opportunistic unless SSLOpen() fails (see below). */
 	       if (gen_transact(sock, "STLS") == PS_SUCCESS
-		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
 			   ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
 			   ctl->server.pollname, &ctl->remotename)) != -1)
 	       {
@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		   {
 		       report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
 		   }
-	       } else if (must_tls(ctl)) {
+	       } else if (must_starttls(ctl)) {
 		   /* Config required TLS but we couldn't guarantee it, so we must
 		    * stop. */
 		   set_timeout(0);
@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		   }
 	       }
 	   }
-	} /* maybe_tls() */
+	} else { /* maybe_starttls() */
+	    if (has_stls && outlevel >= O_VERBOSE) {
+		report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
+	    }
+	} /* maybe_starttls() */
 #endif /* SSL_ENABLE */
 
 	/*
author	Matthias Andree <matthias.andree@gmx.de>	2015-01-17 01:15:31 +0100
committer	Matthias Andree <matthias.andree@gmx.de>	2015-01-26 09:45:24 +0100
commit	c72743cf6139d6906337ddeac964eb79f644097e (patch)
tree	d3ad37c05dc2c3b1085904039958a510a6dc0a86 /pop3.c
parent	07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff)
download	fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2 fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip