diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | socket.c | 9 |
2 files changed, 7 insertions, 4 deletions
@@ -87,6 +87,7 @@ fetchmail 6.3.9 (not yet released): Fixes BerliOS Bug #13207 (reported + fix suggested by Terry Brown). * Only print "Deleting fetchids file" if there actually is one. Fixes Debian Bug#374514, reported by Dan Jacobson. +* SSL fix: check and report if SSL_set_fd fails. # CHANGES: * autoconf 2.60 is now required to build fetchmail; it uses @@ -118,6 +119,7 @@ fetchmail 6.3.9 (not yet released): misconfigured upstream SSL servers that use the wrong certificate name. It specifies which CommonName fetchmail expects and logs. (Daniel Richard G.) * Changed CRLF to LF line endings in contrib/delete-later (reporter: Petr Uzel) +* SSL change: enable all workarounds with SSL_CTX_set_options(ctx,SSL_OP_ALL) # DOCUMENTATION: * Add fetchmail-SA-2007-02.txt and fetchmail-SA-2008-01.txt. @@ -801,7 +801,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char int i; SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SSLeay_add_ssl_algorithms(); /* synonym for SSL_library_init() */ #ifdef SSL_ENABLE if (stat("/dev/random", &randstat) && @@ -851,6 +851,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char return(-1); } + SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL); + if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); } else { @@ -901,9 +903,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, SSL_FILETYPE_PEM); } - SSL_set_fd(_ssl_context[sock], sock); - - if(SSL_connect(_ssl_context[sock]) < 1) { + if (SSL_set_fd(_ssl_context[sock], sock) == 0 + || SSL_connect(_ssl_context[sock]) < 1) { ERR_print_errors_fp(stderr); SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; |