| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
This would affect fetchmail configurations running with SSL in daemon mode
more than one-shot runs.
Reported by Erik Thiele, and pinned by Dominik, Debian Bug #688015.
This bug was introduced into fetchmail 6.2.9 (committed 2005-10-29)
when support for subjectAltName was added through a patch by Roland
Stigge, submitted as Debian Bug#201113.
|
|
|
|
|
|
|
|
|
|
|
|
| |
A patch to clear SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS was added recently:
http://gitorious.org/fetchmail/fetchmail/commit/48809c5b9f6c9081f4031fa938dd63b060c18a4b?format=patch
Older implementations of OpenSSL do not support SSL_CTX_clear_options().
This patch reworks the previous change to avoid the use of
SL_CTX_clear_options() and instead clears the corresponding bit in
SSL_OP_ALL before calling SSL_CTX_set_options().
|
|
|
|
|
|
|
| |
...from SSL options, unless FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE
is a non-empty environment variable.
Suggested by Apple.
|
|
|
|
|
|
|
|
| |
On systems where SSLv2_client_method isn't defined in OpenSSL (such as newer
Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't reference it (to
fix the build) and print a run-time error that the OS does not support SSLv2.
Fixes Debian Bug #622054, but note that that bug report has a more thorough
patch that does away with SSLv2 altogether.
|
|
|
|
| |
Reported by Henry Jensen, fixes Debian Bug #639807.
|
|
|
|
|
|
|
|
|
| |
This reverts commits 47c05b10018f5ec7493e4bd9f521aaa18d96f1e2
and 72ce8bce8dd655b6aefa33d0a74e883dad5202b5, the code isn't portable,
for instance, Solaris does not support SO_RCVTIMEO/SO_SNDTIMEO.
These socket-level options are known, but Solaris returns EAFNOSUPPORT.
Reported by Jonathan Buschmann.
|
| |
|
|
|
|
| |
Fixes STARTTLS hangs reported by Thomas Jarosch.
|
| |
|
|
|
|
|
| |
Revert "Remove support for SSLv2 (fixes Debian Bug #622054)."
This reverts commit c22a3afca46c83ee6d53a6ee58deb122f309c460.
|
| |
|
| |
|
|
|
|
| |
Uses setsockopt(..., SOL_SOCKET, SO_{SND|RCV}TIMEO, ...).
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLv2 has been deprecated since 1996, and is insecure.
Remove --sslproto SSL2 support.
Set SSL_OP_NO_SSLvSSL_CTX 2 option so that the SSLv23 multi-version
client no longer negotiates SSLv2.
Note that some distributions (such as Debian) build OpenSSL 1.0.0
without SSLv2 support, so on those, the build would fail.
Fixes Debian Bug #622054
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622054
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
rather than just "*", to make abuse harder.
|
| |
|
| |
|
|
|
|
| |
Fixes Debian Bug#580796 reported by Roland Stigge.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If at least one of --sslcertfile and --sslcertpath is given, fetchmail
skips loading the default OpenSSL X.509 trusted CA cert locations.
If the environment variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS is set
to a non-empty value, fetchmail will additionally load the default locations.
The old FETCHMAIL_NO_DEFAULT_X509_PATHS variable was dropped.
|
|
|
|
| |
and always load the default X.509 trust stores, unless the latter is set.
|
| |
|
|
|
|
| |
To fix Debian Bug #576430, reported by Sjoerd Simons.
|
| |
|
| |
|
|
|
|
|
|
|
| |
...that were converted to char* when they should have been converted to
const char *.
Use braces for empty if/else statements.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Problem was improper scoping of xfree(tt). Patch courtesy of Thomas Heinz.
Fixes Gentoo bug #280760.
svn path=/branches/BRANCH_6-3/; revision=5415
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5396
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5393
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5389
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5357
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Daniel Richard G. writes:
| I was clearing out an old Fetchmail SVN checkout I had lying around
| here, and came across one small change that I forgot to send in.
|
| In socket.c, there's a bit of code that compares SSL certificate
| fingerprints: [...]
|
| That strcmp() call should be an strcasecmp(). At one point, I
| encountered a certificate where the fingerprint's hex digits were in a
| different case than what was expected, and the connection attempt failed
| because of that. Not exactly what you'd call a potential MitM attack
| :-)
He's right, we can compare case-insensitively without sacrificing
fetchmail's security, so let's just do that for the sake of ease of use.
svn path=/branches/BRANCH_6-3/; revision=5262
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5261
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5237
|
|
|
|
|
|
| |
SSL change: enable all workarounds with SSL_CTX_set_options(ctx,SSL_OP_ALL)
svn path=/branches/BRANCH_6-3/; revision=5214
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5212
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5155
|
|
|
|
| |
svn path=/branches/BRANCH_6-3/; revision=5117
|
|
|
|
|
|
| |
default and --user takes precedence.
svn path=/branches/BRANCH_6-3/; revision=4994
|
|
|
|
|
|
| |
fixes growing SSL certpaths without bounds (Red Hat Bug #206346).
svn path=/branches/BRANCH_6-3/; revision=4912
|