aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--NEWS4
-rw-r--r--fetchmail.man5
-rw-r--r--options.c2
-rw-r--r--po/de.po8
-rw-r--r--socket.c8
5 files changed, 12 insertions, 15 deletions
diff --git a/NEWS b/NEWS
index 9f1bbf98..bcf2537b 100644
--- a/NEWS
+++ b/NEWS
@@ -59,10 +59,6 @@ removed from a 6.4.0 or newer release.)
fetchmail-6.3.20 (not yet released):
# CHANGES
-* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to
- --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail
- will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2.
- To fix Debian Bug#622054.
* fetchmail now always uses its own MD5 implementation. The library and header
variants are too diverse, and we've been bitten before -- and configure
complains noisily on Cyrus-SASL's RFC1321 md5.h.
diff --git a/fetchmail.man b/fetchmail.man
index 231e163d..152a74c0 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -474,9 +474,8 @@ Also see \-\-sslcert above.
(Keyword: sslproto)
.br
Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL23\fP' (note however that fetchmail, since v6.3.20, prohibits
-negotiation of SSLv2 -- it has been deprecated for 15 years and is
-insecure), \&'\fBSSL3\fP', and
+\&'\fBSSL2\fP', '\fBSSL23\fP', (use of these two values is discouraged
+and should only be used as a last resort) \&'\fBSSL3\fP', and
\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
opportunistically try STARTTLS negotiation with TLS1. You can configure
diff --git a/options.c b/options.c
index aee616ba..d53044fc 100644
--- a/options.c
+++ b/options.c
@@ -651,7 +651,7 @@ int parsecmdline (int argc /** argument count */,
P(GT_(" --sslcertpath path to trusted-CA ssl certificate directory\n"));
P(GT_(" --sslcommonname expect this CommonName from server (discouraged)\n"));
P(GT_(" --sslfingerprint fingerprint that must match that of the server's cert.\n"));
- P(GT_(" --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n"));
+ P(GT_(" --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n"));
#endif
P(GT_(" --plugin specify external command to open connection\n"));
P(GT_(" --plugout specify external command to open smtp connection\n"));
diff --git a/po/de.po b/po/de.po
index ff91818d..0b7e3476 100644
--- a/po/de.po
+++ b/po/de.po
@@ -2270,8 +2270,8 @@ msgstr ""
"Servers.\n"
#: options.c:654
-msgid " --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n"
-msgstr " --sslproto SSL-Protokoll erzwingen (SSL23/SSL3/TLS1)\n"
+msgid " --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n"
+msgstr " --sslproto SSL-Protokoll erzwingen (SSL2/SSL3/TLS1)\n"
#: options.c:656
msgid " --plugin specify external command to open connection\n"
@@ -3175,9 +3175,9 @@ msgstr "Datei-Deskriptor außerhalb des Bereichs für SSL"
#: socket.c:899
#, c-format
-msgid "Invalid SSL protocol '%s' specified, using default (SSL23).\n"
+msgid "Invalid SSL protocol '%s' specified, using default (SSLv23).\n"
msgstr ""
-"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSL23).\n"
+"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSLv23).\n"
#: socket.c:992
msgid "Certificate/fingerprint verification was somehow skipped!\n"
diff --git a/socket.c b/socket.c
index 26e37de8..f513d9ff 100644
--- a/socket.c
+++ b/socket.c
@@ -899,14 +899,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
/* Make sure a connection referring to an older context is not left */
_ssl_context[sock] = NULL;
if(myproto) {
- if(!strcasecmp("ssl3",myproto)) {
+ if(!strcasecmp("ssl2",myproto)) {
+ _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
+ } else if(!strcasecmp("ssl3",myproto)) {
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
} else if(!strcasecmp("tls1",myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
} else if (!strcasecmp("ssl23",myproto)) {
myproto = NULL;
} else {
- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
+ fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
myproto = NULL;
}
}
@@ -918,7 +920,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
return(-1);
}
- SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
if (certck) {
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);