diff options
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | README.SSL | 6 | ||||
| -rw-r--r-- | README.git | 4 | ||||
| -rw-r--r-- | README.packaging | 3 | ||||
| -rw-r--r-- | configure.ac | 3 | ||||
| -rw-r--r-- | fetchmail-FAQ.html | 8 | ||||
| -rw-r--r-- | fetchmail.c | 6 | ||||
| -rw-r--r-- | socket.c | 4 |
8 files changed, 32 insertions, 10 deletions
@@ -77,6 +77,14 @@ fetchmail-6.4.3 (WIP) Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd. Reported by Stefan Thurner. +## CHANGES: +* Fetchmail documentation was updated to require OpenSSL 1.1.1. + OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019. + Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that + distributors backport security fixes as the need arises. + Fetchmail will also warn if another SSL library that is API-compatible + with OpenSSL lacks TLS v1.3 support. + fetchmail-6.4.2 (released 2020-02-14, 27473 LoC): ## BREAKING CHANGES: @@ -27,9 +27,9 @@ and v3 are broken. Quickstart ---------- -Use an up-to-date release of OpenSSL 1.0.2 or newer, so as to get -TLSv1.2 support. If possible, use a TLS1.3-enabled OpenSSL v1.1.1 or newer. -Older OpenSSL versions are unsupported upstream, and fetchmail rejects them. +Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get +TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and +fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1. In all four examples below, the (--)sslcertck has become redunant since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation @@ -12,7 +12,7 @@ The prerequisite packages are: - GNU m4 - GNU bison - GNU flex >= 2.5.30 -- A TLSv1.2-capable OpenSSL version (>= 1.0.2) +- A TLSv1.3-capable OpenSSL version (>= 1.1.1) After you have everything installed, type: @@ -28,4 +28,4 @@ $ make (become root) # make install-strip --- Matthias Andree, 2016-09-24 +-- Matthias Andree, 2020-03-30 diff --git a/README.packaging b/README.packaging index d4f8bf47..819d0613 100644 --- a/README.packaging +++ b/README.packaging @@ -8,7 +8,8 @@ Greetings, dear packager! The bullet points below mention a few useful hints for package(r)s: -- Fetchmail requires a somewhat recent OpenSSL v1.0.2. +- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now + but assumes the distributor backports security fixes for it. - Fetchmail now uses automake and supports all common automake targets and overrides such as "make install-strip" or "DESTDIR=..." for staging areas. diff --git a/configure.ac b/configure.ac index 31373d2a..f1a58c3a 100644 --- a/configure.ac +++ b/configure.ac @@ -799,6 +799,9 @@ else fi case "$LIBS" in *-lssl*) + AC_CHECK_DECLS([TLS1_3_VERSION],, + AC_MSG_WARN([Your OpenSSL version is too old and does not support TLS v1.3. Upgrade.]), + [#include <openssl/ssl.h>]) AC_CHECK_DECLS([TLS1_2_VERSION],, AC_MSG_ERROR([Your OpenSSL version is too old and does not support TLS v1.2. Upgrade.]), [#include <openssl/ssl.h>]) diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5b9a1203..58e89e72 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -2070,7 +2070,7 @@ SSL?</a></h2> <p>You'll need to have the <a href="https://www.openssl.org/">OpenSSL</a> libraries installed, and they -should at least be version 1.0.2. +should at least be version 1.1.1. Configure with --with-ssl (default since fetchmail v6.4.0). If you have the OpenSSL libraries installed in commonly-used default locations, this will suffice. If you have them installed in a non-default location, @@ -2459,14 +2459,14 @@ applications linked against older OpenSSL versions.</p> <p>Note: OpenSSL's <code>c_rehash</code> script is broken in several versions, which can cause malfunction if several OpenSSL tools versions are installed in parallel in separate directories. In such cases, you may need a workaround to -get things going. Assuming your OpenSSL 1.0.2 is installed in -<code>/opt/openssl1.0.2</code> and your certificates are in +get things going. Assuming your OpenSSL 1.1.1 is installed in +<code>/opt/openssl1.1.1</code> and your certificates are in <code>/home/hans/certs</code>, you'd do this (the corresponding fetchmail option is <kbd>--sslcertpath /home/hans/certs</kbd> on the commandline and <kbd>sslcertpath /home/hans/cert</kbd> in the rcfile):</p> <pre> -env PATH=/opt/openssl1.0.2/bin /opt/openssl1.0.2/bin/c_rehash /home/hans/certs +env PATH=/opt/openssl1.1.1/bin /opt/openssl1.1.1/bin/c_rehash /home/hans/certs </pre> <h2><a id="R15" name="R15">R15. Help, I'm getting Authorization failure!</a></h2> diff --git a/fetchmail.c b/fetchmail.c index 69d80e23..c74d553c 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -272,6 +272,12 @@ int main(int argc, char **argv) "-SSLv3" #endif #endif +#ifndef HAVE_DECL_TLS1_2_VERSION + "-TLS1.2" +#endif +#ifndef HAVE_DECL_TLS1_2_VERSION + "-TLS1.3" +#endif #ifdef OPIE_ENABLE "+OPIE" #endif /* OPIE_ENABLE */ @@ -393,6 +393,10 @@ va_dcl { #pragma message "WARNING - LibreSSL is unsupported. Use at your own risk." #endif +#if OPENSSL_VERSION_NUMBER < 0x1010100fL +#pragma message "WARNING - OpenSSL SHOULD be at least version 1.1.1." +#endif + #if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER #error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported. #else |