From 1877c3d444e6109a3d9273e46b4b9c8e8c50ea2a Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 30 Mar 2020 14:25:05 +0200 Subject: "Require" OpenSSL 1.1.1 and tolerate/warn 1.0.2. OpenSSL 1.0.2 is EOL since end of 2019, so warn if it is to be used at configure and compile time. The assumption is that 1.0.2 may still be in use by maintainers that backport security fixes. Also warn, at configure time, about "OpenSSL" API-compatible libraries that do not declare TLS1_3_VERSION. --- NEWS | 8 ++++++++ README.SSL | 6 +++--- README.git | 4 ++-- README.packaging | 3 ++- configure.ac | 3 +++ fetchmail-FAQ.html | 8 ++++---- fetchmail.c | 6 ++++++ socket.c | 4 ++++ 8 files changed, 32 insertions(+), 10 deletions(-) diff --git a/NEWS b/NEWS index 7f25c694..1a503c1b 100644 --- a/NEWS +++ b/NEWS @@ -77,6 +77,14 @@ fetchmail-6.4.3 (WIP) Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd. Reported by Stefan Thurner. +## CHANGES: +* Fetchmail documentation was updated to require OpenSSL 1.1.1. + OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019. + Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that + distributors backport security fixes as the need arises. + Fetchmail will also warn if another SSL library that is API-compatible + with OpenSSL lacks TLS v1.3 support. + fetchmail-6.4.2 (released 2020-02-14, 27473 LoC): ## BREAKING CHANGES: diff --git a/README.SSL b/README.SSL index 9111cf62..6c85eb38 100644 --- a/README.SSL +++ b/README.SSL @@ -27,9 +27,9 @@ and v3 are broken. Quickstart ---------- -Use an up-to-date release of OpenSSL 1.0.2 or newer, so as to get -TLSv1.2 support. If possible, use a TLS1.3-enabled OpenSSL v1.1.1 or newer. -Older OpenSSL versions are unsupported upstream, and fetchmail rejects them. +Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get +TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and +fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1. In all four examples below, the (--)sslcertck has become redunant since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation diff --git a/README.git b/README.git index 1781c192..2ffb6799 100644 --- a/README.git +++ b/README.git @@ -12,7 +12,7 @@ The prerequisite packages are: - GNU m4 - GNU bison - GNU flex >= 2.5.30 -- A TLSv1.2-capable OpenSSL version (>= 1.0.2) +- A TLSv1.3-capable OpenSSL version (>= 1.1.1) After you have everything installed, type: @@ -28,4 +28,4 @@ $ make (become root) # make install-strip --- Matthias Andree, 2016-09-24 +-- Matthias Andree, 2020-03-30 diff --git a/README.packaging b/README.packaging index d4f8bf47..819d0613 100644 --- a/README.packaging +++ b/README.packaging @@ -8,7 +8,8 @@ Greetings, dear packager! The bullet points below mention a few useful hints for package(r)s: -- Fetchmail requires a somewhat recent OpenSSL v1.0.2. +- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now + but assumes the distributor backports security fixes for it. - Fetchmail now uses automake and supports all common automake targets and overrides such as "make install-strip" or "DESTDIR=..." for staging areas. diff --git a/configure.ac b/configure.ac index 31373d2a..f1a58c3a 100644 --- a/configure.ac +++ b/configure.ac @@ -799,6 +799,9 @@ else fi case "$LIBS" in *-lssl*) + AC_CHECK_DECLS([TLS1_3_VERSION],, + AC_MSG_WARN([Your OpenSSL version is too old and does not support TLS v1.3. Upgrade.]), + [#include ]) AC_CHECK_DECLS([TLS1_2_VERSION],, AC_MSG_ERROR([Your OpenSSL version is too old and does not support TLS v1.2. Upgrade.]), [#include ]) diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5b9a1203..58e89e72 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -2070,7 +2070,7 @@ SSL?

You'll need to have the OpenSSL libraries installed, and they -should at least be version 1.0.2. +should at least be version 1.1.1. Configure with --with-ssl (default since fetchmail v6.4.0). If you have the OpenSSL libraries installed in commonly-used default locations, this will suffice. If you have them installed in a non-default location, @@ -2459,14 +2459,14 @@ applications linked against older OpenSSL versions.

Note: OpenSSL's c_rehash script is broken in several versions, which can cause malfunction if several OpenSSL tools versions are installed in parallel in separate directories. In such cases, you may need a workaround to -get things going. Assuming your OpenSSL 1.0.2 is installed in -/opt/openssl1.0.2 and your certificates are in +get things going. Assuming your OpenSSL 1.1.1 is installed in +/opt/openssl1.1.1 and your certificates are in /home/hans/certs, you'd do this (the corresponding fetchmail option is --sslcertpath /home/hans/certs on the commandline and sslcertpath /home/hans/cert in the rcfile):

-env PATH=/opt/openssl1.0.2/bin /opt/openssl1.0.2/bin/c_rehash /home/hans/certs
+env PATH=/opt/openssl1.1.1/bin /opt/openssl1.1.1/bin/c_rehash /home/hans/certs
 

R15. Help, I'm getting Authorization failure!

diff --git a/fetchmail.c b/fetchmail.c index 69d80e23..c74d553c 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -272,6 +272,12 @@ int main(int argc, char **argv) "-SSLv3" #endif #endif +#ifndef HAVE_DECL_TLS1_2_VERSION + "-TLS1.2" +#endif +#ifndef HAVE_DECL_TLS1_2_VERSION + "-TLS1.3" +#endif #ifdef OPIE_ENABLE "+OPIE" #endif /* OPIE_ENABLE */ diff --git a/socket.c b/socket.c index b442e5f9..c2f6fc7a 100644 --- a/socket.c +++ b/socket.c @@ -393,6 +393,10 @@ va_dcl { #pragma message "WARNING - LibreSSL is unsupported. Use at your own risk." #endif +#if OPENSSL_VERSION_NUMBER < 0x1010100fL +#pragma message "WARNING - OpenSSL SHOULD be at least version 1.1.1." +#endif + #if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER #error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported. #else -- cgit v1.2.3