aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS6
-rw-r--r--README.SSL2
-rw-r--r--README.packaging2
-rw-r--r--socket.c6
4 files changed, 10 insertions, 6 deletions
diff --git a/NEWS b/NEWS
index 85942474..f75000ce 100644
--- a/NEWS
+++ b/NEWS
@@ -92,10 +92,14 @@ removed from a 6.5.0 or newer release.)
--------------------------------------------------------------------------------
fetchmail-6.4.25 (not yet released):
-# CHANGES
+# BREAKING CHANGES
* Since distributions continue patching for LibreSSL use, which cannot be
linked legally, block out LibreSSL in configure.ac and socket.c, and
refer to COPYING.
+* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
+ the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix
+ release, and 1.0.2u is publicly available from
+ https://www.openssl.org/source/old/1.0.2/
--------------------------------------------------------------------------------
fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
diff --git a/README.SSL b/README.SSL
index 425f574e..519e986f 100644
--- a/README.SSL
+++ b/README.SSL
@@ -31,7 +31,7 @@ Quickstart
Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or newer, so as to get
TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and
-fetchmail rejects versions before v1.0.2 and warns about versions before
+fetchmail rejects versions before v1.0.2f and warns about versions before
v1.1.1.
In all four examples below, the (--)sslcertck has become redundant
diff --git a/README.packaging b/README.packaging
index 819d0613..c2c798a6 100644
--- a/README.packaging
+++ b/README.packaging
@@ -8,7 +8,7 @@ Greetings, dear packager!
The bullet points below mention a few useful hints for package(r)s:
-- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now
+- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2f for now
but assumes the distributor backports security fixes for it.
- Fetchmail now uses automake and supports all common automake targets and
diff --git a/socket.c b/socket.c
index 8ee88ec2..1d022689 100644
--- a/socket.c
+++ b/socket.c
@@ -406,7 +406,7 @@ va_dcl {
#include <openssl/x509v3.h>
#include <openssl/rand.h>
-#define fm_MIN_OPENSSL_VER 0x1000200fL
+#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */
#ifdef LIBRESSL_VERSION_NUMBER
#error "FAILED - LibreSSL cannot be used legally, for lack of GPL clause 2b exception, see COPYING."
@@ -417,7 +417,7 @@ va_dcl {
#endif
#if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER
-#error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported.
+#error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported.
#else
/*
#define __fm_ossl_ver(x) #x
@@ -1079,7 +1079,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
struct stat randstat;
int i;
int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- long sslopts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
+ long sslopts = SSL_OP_ALL;
int ssle_connect = 0;
long ver;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 18:24:41 +0000