aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL
diff options
context:
space:
mode:
Diffstat (limited to 'README.SSL')
-rw-r--r--README.SSL36
1 files changed, 21 insertions, 15 deletions
diff --git a/README.SSL b/README.SSL
index ba3de41a..cf07d05e 100644
--- a/README.SSL
+++ b/README.SSL
@@ -18,9 +18,6 @@ POP3/IMAP4) or is totally SSL-wrapped on a separate port.
Also, fetchmail 6.4.0 and newer releases changed some of the semantics
as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
-If your server does not support this, you may have to specify --sslproto
-ssl3+. This is in order to prefer the newer TLS protocols, because SSLv2
-and v3 are broken.
Finally, due to other defaults changing, and several mail services not
supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS,
@@ -40,28 +37,37 @@ In all four examples below, the (--)sslcertck has become redundant
since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
for a while, we'll leave it here to be safe.
-For use of SSL or TLS with in-band negotiation on the regular service's port,
-i. e. with STLS or STARTTLS, use these command line options
+For use of SSL or TLS on a separate port (recommended), called Implicit TLS,
+the whole TCP connection is SSL-encrypted from the very beginning (SSL- or
+TLS-wrapped), use these command line options (in the rcfile,
+omit all leading "--"):
- --sslproto auto --sslcertck
+ --ssl --sslproto tls1.2+ --sslcertck
or these options in the rcfile (after the respective "user"... options)
- sslproto auto sslcertck
-
+ ssl sslproto tls1.2+ sslcertck
-Note that some services do not offer STLS or STARTTLS, but most do
-offer SSL or TLS on a separate, dedicated, "secure" port:
-For use of SSL or TLS on a separate port, if the whole TCP connection is
-SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
-command line options (in the rcfile, omit all leading "--"):
+For use of SSL or TLS with in-band negotiation on the regular service's port,
+i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or
+ssl):
- --ssl --sslproto auto --sslcertck
+ --sslproto tls1.2+ --sslcertck
or these options in the rcfile (after the respective "user"... options)
- ssl sslproto auto sslcertck
+ sslproto tls1.2+ sslcertck
+
+
+With up to date OpenSSL libraries (1.1.1 or newer), and with recent
+software on the server, you can alternatively configure tls1.3+.
+
+For some older services, you may need to use tls1.1+ or tls1+ for compatibility
+instead of the tls1.2+ above. In such situations, you should ask the service
+provider or server operator to upgrade their TLS implementation such that
+TLS v1.3 be supported, and once that happens, update your fetchmail configuration
+to tls1.3+ or tls1.2+.
Background and use (long version :-))
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 19:51:07 +0000