TLS overhaul, bumping version to 6.4

Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.

This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.

It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page.  It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.

1 files changed, 37 insertions, 0 deletions

diff --git a/starttls.c b/starttls.c
new file mode 100644
index 00000000..5d65464a
--- /dev/null
+++ b/starttls.c
@@ -0,0 +1,37 @@
+/** \file tls.c - collect common TLS functionality 
+ * \author Matthias Andree
+ * \date 2006
+ */
+
+#include "fetchmail.h"
+
+#include <string.h>
+
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+
+/** return true if user allowed opportunistic STARTTLS/STLS */
+int maybe_starttls(struct query *ctl) {
+#ifdef SSL_ENABLE
+         /* opportunistic  or forced TLS */
+    return (!ctl->sslproto || strlen(ctl->sslproto))
+	&& !ctl->use_ssl;
+#else
+    (void)ctl;
+    return 0;
+#endif
+}
+
+/** return true if user requires STARTTLS/STLS, note though that this
+ * code must always use a logical AND with maybe_tls(). */
+int must_starttls(struct query *ctl) {
+#ifdef SSL_ENABLE
+    return maybe_starttls(ctl)
+	&& (ctl->sslfingerprint || ctl->sslcertck
+		|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
+#else
+    (void)ctl;
+    return 0;
+#endif
+}