diff options
| -rw-r--r-- | NEWS | 11 | ||||
| -rw-r--r-- | socket.c | 16 |
2 files changed, 26 insertions, 1 deletions
@@ -96,6 +96,17 @@ fetchmail-6.4.24 (not yet released): * Bison 3.8 dropped yytoknum altogether, breaking compilation due to a warning workaround. Remove the cast of yytoknum to void. This may cause a compiler warning to reappear with older Bison versions. +* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3 + certificate in its trust store because OpenSSL by default prefers the + untrusted certificate and fails. Fetchmail now sets the + X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only). + This is workaround #2 from the OpenSSL Blog. For details, see both: + https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ + https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ + + NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library + is kept up to date by a distributor or via OpenSSL support contract. + Where this is not the case, please upgrade to a supported OpenSSL version. # TRANSLATIONS: language translations were updated by these fine people: * sv: Göran Uddeborg [Swedish] @@ -1210,7 +1210,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck } } - /* OpenSSL >= 1.0.2: set host name for verification */ + /* set host name for verification, only available since OpenSSL 1.0.2 */ /* XXX FIXME: do we need to change the function's signature and pass the akalist to * permit the other hostnames through SSL? */ /* https://wiki.openssl.org/index.php/Hostname_validation */ @@ -1224,6 +1224,20 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck (void *)_ssl_context[sock], servercname, r); ERR_print_errors_fp(stderr); } + + /* OpenSSL 1.0.2 and 1.0.2 only: + * work around Let's Encrypt Cross-Signing Certificate Expiry, + * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ + * Workaround #2 */ + /* OpenSSL 1.x.x: 0xMNNFFPPSL: major minor fix patch status + * OpenSSL 3.0.0: 0xMNN00PPSL: synthesized */ + /* 0xMNNFFPPsL 0xMNNFFPPsL */ + if (0x1000200fL == (ver & 0xfffff000L)) { + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); + } + + /* param is a pointer to internal OpenSSL data, must not be freed, + * and just goes out of scope */ } if( mycert || mykey ) { |