aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL
diff options
context:
space:
mode:
Diffstat (limited to 'README.SSL')
-rw-r--r--README.SSL27
1 files changed, 14 insertions, 13 deletions
diff --git a/README.SSL b/README.SSL
index cf07d05e..425f574e 100644
--- a/README.SSL
+++ b/README.SSL
@@ -12,30 +12,31 @@ setup.
In case of troubles, mail the README.SSL-SERVER file to your ISP and
have them check their server configuration against it.
-Note that fetchmail up to version 6.3.26 confused SSL/TLS protocol levels with
-whether a service needs to use in-band negotiation (STLS/STARTTLS for
-POP3/IMAP4) or is totally SSL-wrapped on a separate port.
+Note that fetchmail up to version 6.3.26 used to confuse SSL/TLS protocol
+levels with whether a service needs to use in-band negotiation (STLS/STARTTLS
+for POP3/IMAP4) or is totally SSL-wrapped ("Implicit TLS") on a separate port.
+Fetchmail 6.4 seeks to fix that to some extent without breaking the
+command-line and rcfile interfaces too much (see --ssl and --sslproto options,
+below and in the manual).
-Also, fetchmail 6.4.0 and newer releases changed some of the semantics
-as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
+fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
-Finally, due to other defaults changing, and several mail services not
-supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS,
-you may need to add ssl or --ssl to your configuration.
+Fetchmail 6.4.22 supports OpenSSL 3.0.0 and 1.1.1.
- -- Matthias Andree, 2021-03-29
+ -- Matthias Andree, 2021-09-09
Quickstart
----------
-Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get
+Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or newer, so as to get
TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and
-fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1.
+fetchmail rejects versions before v1.0.2 and warns about versions before
+v1.1.1.
In all four examples below, the (--)sslcertck has become redundant
-since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
-for a while, we'll leave it here to be safe.
+since fetchmail v6.4.0, but since fetchmail 6.3 releases will be in circulation
+for too long, (--)sslcertck will remain in the examples below for now.
For use of SSL or TLS on a separate port (recommended), called Implicit TLS,
the whole TCP connection is SSL-encrypted from the very beginning (SSL- or
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-31 07:09:21 +0000