diff options
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | NEWS | 13 | ||||
| -rw-r--r-- | README.SSL | 8 | ||||
| -rw-r--r-- | fetchmail.c | 2 | ||||
| -rw-r--r-- | fetchmail.man | 19 |
5 files changed, 41 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index d7d0320c..a6b74fbe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -35,7 +35,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc822.c report.c rfc2047e.c \ smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ xmalloc.h sdump.h sdump.c x509_name_match.c \ - fm_strl.h md5c.c + fm_strl.h md5c.c tls-aux.c if NTLM_ENABLE libfm_a_SOURCES += ntlmsubr.c @@ -81,6 +81,19 @@ fetchmail-6.4.16 (not yet released): 6.2.5 to 6.4.X duplicate suppression by entire raw header. Manpage bug found by Julian Bane debugging "duplicate message" behaviour. +# FEATURE +* fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS + library's "SSL default trusted certificate" file or directory (mind the word + "default"), where the OpenSSL-compatible TLS implementation will look for + trusted root, meaning certification authority (CA), certificates. + NOTE 1: watch the output carefully if the line prints the defaults + or the configured path (without "default"). + NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables + for OpenSSL 1.1.1 to override the *default* locations (those compiled into + OpenSSL or possibly in its configuration file). + This was added when Gene Heskett was debugging his setup and the + information "where does OpenSSL look" was missing. + # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) @@ -31,7 +31,7 @@ Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1. -In all four examples below, the (--)sslcertck has become redunant +In all four examples below, the (--)sslcertck has become redundant since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation for a while, we'll leave it here to be safe. @@ -99,8 +99,12 @@ you put the CA's certificate into a directory where you keep trusted certificates, and point fetchmail to it. Fetchmail will then accept certificates signed by the owner of that certificate with the private key belonging to the public key in the certificate. -You can specify this path using the "sslcertpath" option if it is + You can specify this path using the "sslcertpath" option if it is different from the one OpenSSL uses by default. + Alternatively, a "bundle" file (a concatenation of trusted certificates in PEM +form) can be given, using the "sslcertfile". + fetchmail 6.4.16 and newer will print the default locations where the SSL +library looks when run as fetchmail -V or fetchmail --version. The idea is that the CA only gives certificates to entities whose identity it has checked and verified (and in this case, that the server name you specify diff --git a/fetchmail.c b/fetchmail.c index 907a8bcb..e6ceb71a 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -1769,8 +1769,10 @@ static void dump_params (struct runctl *runp, } else { printf(GT_(" SSL server certificate checking disabled.\n")); } + printf(GT_(" SSL default trusted certificate file: %s\n"), get_default_cert_file()); if (ctl->sslcertfile != NULL) printf(GT_(" SSL trusted certificate file: %s\n"), ctl->sslcertfile); + printf(GT_(" SSL default trusted certificate directory: %s\n"), get_default_cert_path()); if (ctl->sslcertpath != NULL) printf(GT_(" SSL trusted certificate directory: %s\n"), ctl->sslcertpath); if (ctl->sslcommonname != NULL) diff --git a/fetchmail.man b/fetchmail.man index d562788c..c32cada8 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -2940,6 +2940,25 @@ and HOME_ETC will be ignored. socks library to find out which configuration file it should read. Set this to /dev/null to bypass the SOCKS proxy. +.IP \fBSSL_CERT_DIR\fP +(with truly OpenSSL 1.1.1 compatible library): overrides OpenSSL's idea +of the default trust directory or path (which contains individual certificate +files and hashed symlinks), see the SSL_CTX_set_default_verify_paths(3) +manual page for details, it may be in the openssl development package. +If using another library's OpenSSL compatibility interface, this may not work. +Since this variable only specifies a default value, the option \-\-sslcertpath +takes precedence if given. + +.IP \fBSSL_CERT_FILE\fP +(with truly OpenSSL 1.1.1 compatible library): overrides OpenSSL's idea +of the default trust certificate bundle file (which contains a concatenation +of base64-encoded certificates in PEM format), see the +SSL_CTX_set_default_verify_paths(3) manual page +for details, it may be in the openssl development package. +If using another library's OpenSSL compatibility interface, this may not work. +Since this variable only specifies a default value, the option \-\-sslcertfile +takes precedence if given. + .SH SIGNALS If a \fBfetchmail\fP daemon is running as root, SIGUSR1 wakes it up from its sleep phase and forces a poll of all non-skipped servers. For compatibility |