diff options
-rw-r--r-- | COPYING | 40 | ||||
-rw-r--r-- | INSTALL | 13 | ||||
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | README.SSL | 10 |
4 files changed, 53 insertions, 16 deletions
@@ -11,27 +11,53 @@ Carl E. Harris, George M. Sipe, Graham Wilson, Matthias Andree and Sunil Shetye. SSL library considerations ~~~~~~~~~~~~~~~~~~~~~~~~~~ -If linking against OpenSSL versions under dual OpenSSL/SSLeay license (f. i. -OpenSSL 1.1.1x and older) is enabled at configure/compile time, the +If linking against OpenSSL versions under dual OpenSSL/SSLeay license (f. i. +OpenSSL 1.1.1x and older) is enabled at configure/compile time, the following clause applies: | This product includes software developed by the OpenSSL Project | for use in the OpenSSL Toolkit. (http://www.openssl.org/) +|Linking fetchmail statically or dynamically with other modules is making +|a combined work based on fetchmail. Thus, the terms and conditions +|of the GNU General Public License cover the whole combination. +| +|In addition, as a special exception, the copyright holders of fetchmail +|give you permission to combine fetchmail with free +|software programs or libraries that are released under the GNU LGPL and with +|code included in the standard release of OpenSSL under the OpenSSL or SSLeay license +|(or modified versions of such code, with unchanged license). +| +|You may copy and distribute such a system following the terms of the GNU GPL +|for fetchmail and the licenses of the other code concerned, +|provided that you include the source code of that other code when and as the +|GNU GPL requires distribution of source code. +| +|Note that people who make modified versions of fetchmail are not obligated to +|grant this special exception for their modified versions; it is their choice +|whether to do so. The GNU General Public License gives permission to release +|a modified version without this exception; this exception also makes it +|possible to release a modified version which carries forward this exception. +| +|In short: Specific permission is granted for the GPLed code in this distribution to be linked to OpenSSL without invoking GPL clause 2(b). Note that this permission applies to OpenSSL, and OpenSSL only. +The Free Software Foundation asserts that a GPL v2 clause 2b exception is +required even for dynamically linked binaries. See +https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic -If linking against OpenSSL versions licensed under the Apache License version + +If linking against OpenSSL versions licensed under the Apache License version 2.0 (for instance, OpenSSL 3.0.x), note that this library is incompatible with -the GPLv2, so that effectively, distributors need to pull the "or any later version" +the GPLv2, so that effectively, distributors need to use the "or any later version" grant in the GPLv2 and apply the GPLv3 which is considered compatible with the Apache License 2.0 by the FSF and the ASF. -Fetchmail can be linked against wolfSSL, which is under GNU General Public License v2, -or optionally, any later version. +Fetchmail can be linked against wolfSSL, +which is under GNU General Public License v2, or optionally, any later version. ~~~~~~~~~~~~~~~~~~~~~~~~~~ The support for SMB authentication is copyright by Andrew Tridgell and @@ -69,7 +95,7 @@ Stenberg and also under a liberal license: | MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHORS AND | CONTRIBUTORS ACCEPT NO RESPONSIBILITY IN ANY CONCEIVABLE MANNER. -The libesmtp/* files functions are (C) by Brian Stafford, see the respective +The libesmtp/* files functions are (C) by Brian Stafford, see the respective file headers for details (LGPL v2.1 or later). The KAME/* files are (C) Copyright (C) 1995, 1996, 1997, and 1998 WIDE @@ -95,14 +95,23 @@ When using OpenSSL: ./configure -When using wolfSSL (adjust the location, see below): + It is possible to either specify the install path, or pkg-config + module name, with --with-ssl, examples: + + ./configure --with-ssl=/opt/openssl3 + + ./configure --with-ssl=eopenssl30 + +When using wolfSSL (adjust the trust file location, see below): ./configure --with-wolfssl \ WOLFSSL_TRUST_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem Here, you need to adjust the file path according to where your ca_cert_nss or ca-certificates package installs the default trust bundle in PEM format with -BEGIN CERTIFICATE lines. Some typical locations as of 2021 are: +BEGIN CERTIFICATE lines. wolfSSL 5.0.0 cannot parse BEGIN TRUSTED CERTIFICATE bundles. + +Some typical locations as of 2021 are: on Fedora Linux: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt on FreeBSD: /usr/local/share/certs/ca-root-nss.crt @@ -95,7 +95,7 @@ fetchmail-6.4.25 (not yet released): # BREAKING CHANGES * Since distributions continue patching for LibreSSL use, which cannot be linked legally, block out LibreSSL in configure.ac and socket.c, and - refer to COPYING. + refer to COPYING. OpenSSL and wolfSSL 5 can be used. * Bump OpenSSL version requirement to 1.0.2f in order to safely remove the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix release, and 1.0.2u is publicly available from @@ -108,8 +108,10 @@ fetchmail-6.4.25 (not yet released): # CHANGES * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, - see README.SSL. This is considered experimental. Feedback solicited. + see INSTALL and README.SSL. This is considered experimental. + Feedback solicited. * The getstats.py dist-tool now counts lines of .ac and .am files. +* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL. -------------------------------------------------------------------------------- fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): @@ -22,8 +22,8 @@ below and in the manual). fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. Fetchmail 6.4.25 supports OpenSSL 3.0 and 1.1.1 and WolfSSL 5.0. - -The configure options --with-wolfssl takes precedence over --with-ssl. +Note that WolfSSL 5.0 is a bit less flexible about its trust store, +see INSTALL chapter 2.1 for details. -- Matthias Andree, 2021-11-20 @@ -46,7 +46,7 @@ since fetchmail v6.4.0, but since fetchmail 6.3 releases will be in circulation for too long, (--)sslcertck will remain in the examples below for now. For use of SSL or TLS on a separate port (recommended), called Implicit TLS, -the whole TCP connection is SSL-encrypted from the very beginning (SSL- or +the whole TCP connection is SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these command line options (in the rcfile, omit all leading "--"): @@ -57,8 +57,8 @@ or these options in the rcfile (after the respective "user"... options) ssl sslproto tls1.2+ sslcertck -For use of SSL or TLS with in-band negotiation on the regular service's port, -i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or +For use of SSL or TLS with in-band negotiation on the regular service's port, +i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or ssl): --sslproto tls1.2+ --sslcertck |