diff options
| -rw-r--r-- | NEWS | 11 | ||||
| -rw-r--r-- | README.SSL | 17 | ||||
| -rw-r--r-- | socket.c | 31 |
3 files changed, 41 insertions, 18 deletions
@@ -102,6 +102,17 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.38 (not yet released): +# BREAKING CHANGES: +* Tighten OpenSSL and wolfSSL version requirements again. See README.SSL. + Distributors providing older versions that they backport security fixes for + may want to patch socket.c but remember to redirect support to your + distribution's support channels. + The fetchmail maintainer only supports functionally unmodified builds with + publicly available SSL/TLS library versions. + fetchmail will refuse to build against OpenSSL 1.0.2 older than 1.0.2u, + or wolfSSL older than 5.6.2. It will warn about OpenSSL older than 3.0.9, + or between 3.1.0 and 3.1.4, or wolfSSL older than 5.6.6. + # TRANSLATIONS: language translations were updated by these fine people: (in reverse alphabetical order of language codes): * ru: Kirill Isakov [Russian] @@ -21,8 +21,12 @@ below and in the manual). fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. -Fetchmail 6.4.38 supports OpenSSL 3.0.8 and 1.1.1t and WolfSSL 5.5.3 or newer, -including OpenSSL 3.1.0. +Fetchmail 6.4.38 supports OpenSSL 3.0.9, 3.1.4, and WolfSSL 5.6.6 or newer, +and might support OpenSSL 3.2.0 or newer. +Fetchmail may compile against end-of-life (EOL) OpenSSL 1.x.y versions, +but these are unsupported by the fetchmail maintainer. +It is expected that the user only uses a supported SSL library that receives +security fixes and is kept up to date. Note that WolfSSL 5 is a bit less flexible about its trust store, see INSTALL chapter 2.1 for details. @@ -31,16 +35,16 @@ Note that many messages printed by fetchmail will print "OpenSSL" even if wolfSSL is being used. Reason is that fetchmail uses wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API. - -- Matthias Andree, 2023-03-18 + -- Matthias Andree, 2024-01-31 Quickstart ---------- -Use an up-to-date release of OpenSSL v1.1.1 or v3.0/v3.1 or wolfSSL 5.5 or +Use an up-to-date release of OpenSSL v3.0/v3.1 or wolfSSL 5.5 or newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2f and -warns about versions before v1.1.1q or 3.0.7. +warns about versions before 3.0.13. wolfSSL needs to be configured with --enable-opensslall --enable-harden, else some required OpenSSL APIs are missing, especially for SNI (server name @@ -74,8 +78,7 @@ or these options in the rcfile (after the respective "user"... options) sslproto tls1.2+ sslcertck -With up to date OpenSSL libraries (1.1.1 or newer), and with recent -software on the server, you can alternatively configure tls1.3+. +With recent software on the server, you can alternatively configure tls1.3+. For some older services, you may need to use tls1.1+ or tls1+ for compatibility instead of the tls1.2+ above. In such situations, you should ask the service @@ -414,24 +414,33 @@ va_dcl { #endif #ifdef USING_WOLFSSL -# if LIBWOLFSSL_VERSION_HEX < 0x05005001L -# error "FAILED - wolfSSL MUST be at least version 5.5.1. You have " LIBWOLFSSL_VERSION_STRING "." +# if LIBWOLFSSL_VERSION_HEX < 0x05006002L +# error "FAILED - wolfSSL MUST be at least version 5.6.2. You have " LIBWOLFSSL_VERSION_STRING "." # endif -# if LIBWOLFSSL_VERSION_HEX < 0x05005003L -# pragma message "WARNING - wolfSSL SHOULD be at least version 5.5.3. You have " LIBWOLFSSL_VERSION_STRING "." +# if LIBWOLFSSL_VERSION_HEX < 0x05006006L +# pragma message "WARNING - wolfSSL SHOULD be at least version 5.6.6. You have " LIBWOLFSSL_VERSION_STRING "." # endif #else /* !USING_WOLFSSL */ -#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ -# if OPENSSL_VERSION_NUMBER < 0x1010111fL -# pragma message "WARNING - OpenSSL 1.m.nx SHOULD be at least release version 1.1.1q, using " OPENSSL_VERSION_TEXT "." +#define fm_MIN_OPENSSL_VER 0x1000215fL /* 1.0.2u */ +# if OPENSSL_VERSION_NUMBER < 0x1010115fL +# pragma message "WARNING - OpenSSL 1.m.nx SHOULD be at least release version 1.1.1u, using " OPENSSL_VERSION_TEXT "." # endif /* 0xMNN00PPSL */ -# if OPENSSL_VERSION_NUMBER >= 0x30000000L -# if OPENSSL_VERSION_NUMBER < 0x30000070L -# pragma message "WARNING - OpenSSL 3.m.n SHOULD be at least release version 3.0.7, using " OPENSSL_VERSION_TEXT "." +/* do not warn about OpenSSL 3.2.0, the 3.2.1 fix is of low priority */ +# if OPENSSL_VERSION_NUMBER >= 0x30100000L && OPENSSL_VERSION_NUMBER < 0x30200000L +# if OPENSSL_VERSION_NUMBER < 0x30100040L +# pragma message "WARNING - OpenSSL 3.1.n SHOULD be at least release version 3.1.4, using " OPENSSL_VERSION_TEXT "." # endif # endif /* 0xMNN00PPSL */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30100000L +# if OPENSSL_VERSION_NUMBER < 0x30000090L +# pragma message "WARNING - OpenSSL 3.0.n SHOULD be at least release version 3.0.9, using " OPENSSL_VERSION_TEXT "." +# endif +# endif /* 0xMNN00PPSL */ +# if OPENSSL_VERSION_NUMBER < 0x30000000L +# pragma message "WARNING - OpenSSL before 3.0.0 is end-of-life and unsupported, using " OPENSSL_VERSION_TEXT "." +# endif # if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER -# error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported. +# error Your OpenSSL version MUST be at least 1.0.2u release. Older OpenSSL versions are unsupported. # else /* OpenSSL too old */ /* #define __fm_ossl_ver(x) #x |