From 5c49ed857af685f175b6f13df7ac76fd373ce2fb Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 31 Jan 2024 21:21:25 +0100 Subject: Tighten OpenSSL/wolfSSL version requirements. --- NEWS | 11 +++++++++++ README.SSL | 17 ++++++++++------- socket.c | 31 ++++++++++++++++++++----------- 3 files changed, 41 insertions(+), 18 deletions(-) diff --git a/NEWS b/NEWS index 46bfa764..10a5330c 100644 --- a/NEWS +++ b/NEWS @@ -102,6 +102,17 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.38 (not yet released): +# BREAKING CHANGES: +* Tighten OpenSSL and wolfSSL version requirements again. See README.SSL. + Distributors providing older versions that they backport security fixes for + may want to patch socket.c but remember to redirect support to your + distribution's support channels. + The fetchmail maintainer only supports functionally unmodified builds with + publicly available SSL/TLS library versions. + fetchmail will refuse to build against OpenSSL 1.0.2 older than 1.0.2u, + or wolfSSL older than 5.6.2. It will warn about OpenSSL older than 3.0.9, + or between 3.1.0 and 3.1.4, or wolfSSL older than 5.6.6. + # TRANSLATIONS: language translations were updated by these fine people: (in reverse alphabetical order of language codes): * ru: Kirill Isakov [Russian] diff --git a/README.SSL b/README.SSL index dfad1529..c7c77452 100644 --- a/README.SSL +++ b/README.SSL @@ -21,8 +21,12 @@ below and in the manual). fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. -Fetchmail 6.4.38 supports OpenSSL 3.0.8 and 1.1.1t and WolfSSL 5.5.3 or newer, -including OpenSSL 3.1.0. +Fetchmail 6.4.38 supports OpenSSL 3.0.9, 3.1.4, and WolfSSL 5.6.6 or newer, +and might support OpenSSL 3.2.0 or newer. +Fetchmail may compile against end-of-life (EOL) OpenSSL 1.x.y versions, +but these are unsupported by the fetchmail maintainer. +It is expected that the user only uses a supported SSL library that receives +security fixes and is kept up to date. Note that WolfSSL 5 is a bit less flexible about its trust store, see INSTALL chapter 2.1 for details. @@ -31,16 +35,16 @@ Note that many messages printed by fetchmail will print "OpenSSL" even if wolfSSL is being used. Reason is that fetchmail uses wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API. - -- Matthias Andree, 2023-03-18 + -- Matthias Andree, 2024-01-31 Quickstart ---------- -Use an up-to-date release of OpenSSL v1.1.1 or v3.0/v3.1 or wolfSSL 5.5 or +Use an up-to-date release of OpenSSL v3.0/v3.1 or wolfSSL 5.5 or newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2f and -warns about versions before v1.1.1q or 3.0.7. +warns about versions before 3.0.13. wolfSSL needs to be configured with --enable-opensslall --enable-harden, else some required OpenSSL APIs are missing, especially for SNI (server name @@ -74,8 +78,7 @@ or these options in the rcfile (after the respective "user"... options) sslproto tls1.2+ sslcertck -With up to date OpenSSL libraries (1.1.1 or newer), and with recent -software on the server, you can alternatively configure tls1.3+. +With recent software on the server, you can alternatively configure tls1.3+. For some older services, you may need to use tls1.1+ or tls1+ for compatibility instead of the tls1.2+ above. In such situations, you should ask the service diff --git a/socket.c b/socket.c index e2058eee..c98e1552 100644 --- a/socket.c +++ b/socket.c @@ -414,24 +414,33 @@ va_dcl { #endif #ifdef USING_WOLFSSL -# if LIBWOLFSSL_VERSION_HEX < 0x05005001L -# error "FAILED - wolfSSL MUST be at least version 5.5.1. You have " LIBWOLFSSL_VERSION_STRING "." +# if LIBWOLFSSL_VERSION_HEX < 0x05006002L +# error "FAILED - wolfSSL MUST be at least version 5.6.2. You have " LIBWOLFSSL_VERSION_STRING "." # endif -# if LIBWOLFSSL_VERSION_HEX < 0x05005003L -# pragma message "WARNING - wolfSSL SHOULD be at least version 5.5.3. You have " LIBWOLFSSL_VERSION_STRING "." +# if LIBWOLFSSL_VERSION_HEX < 0x05006006L +# pragma message "WARNING - wolfSSL SHOULD be at least version 5.6.6. You have " LIBWOLFSSL_VERSION_STRING "." # endif #else /* !USING_WOLFSSL */ -#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ -# if OPENSSL_VERSION_NUMBER < 0x1010111fL -# pragma message "WARNING - OpenSSL 1.m.nx SHOULD be at least release version 1.1.1q, using " OPENSSL_VERSION_TEXT "." +#define fm_MIN_OPENSSL_VER 0x1000215fL /* 1.0.2u */ +# if OPENSSL_VERSION_NUMBER < 0x1010115fL +# pragma message "WARNING - OpenSSL 1.m.nx SHOULD be at least release version 1.1.1u, using " OPENSSL_VERSION_TEXT "." # endif /* 0xMNN00PPSL */ -# if OPENSSL_VERSION_NUMBER >= 0x30000000L -# if OPENSSL_VERSION_NUMBER < 0x30000070L -# pragma message "WARNING - OpenSSL 3.m.n SHOULD be at least release version 3.0.7, using " OPENSSL_VERSION_TEXT "." +/* do not warn about OpenSSL 3.2.0, the 3.2.1 fix is of low priority */ +# if OPENSSL_VERSION_NUMBER >= 0x30100000L && OPENSSL_VERSION_NUMBER < 0x30200000L +# if OPENSSL_VERSION_NUMBER < 0x30100040L +# pragma message "WARNING - OpenSSL 3.1.n SHOULD be at least release version 3.1.4, using " OPENSSL_VERSION_TEXT "." # endif # endif /* 0xMNN00PPSL */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x30100000L +# if OPENSSL_VERSION_NUMBER < 0x30000090L +# pragma message "WARNING - OpenSSL 3.0.n SHOULD be at least release version 3.0.9, using " OPENSSL_VERSION_TEXT "." +# endif +# endif /* 0xMNN00PPSL */ +# if OPENSSL_VERSION_NUMBER < 0x30000000L +# pragma message "WARNING - OpenSSL before 3.0.0 is end-of-life and unsupported, using " OPENSSL_VERSION_TEXT "." +# endif # if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER -# error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported. +# error Your OpenSSL version MUST be at least 1.0.2u release. Older OpenSSL versions are unsupported. # else /* OpenSSL too old */ /* #define __fm_ossl_ver(x) #x -- cgit v1.2.3