From 650519f8bc28f9047290327cd9a2e1c01e430255 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 4 Jan 2020 00:51:33 +0100
Subject: STARTTLS enforcement for sslproto != "tls1".

Fetchmail < 6.4.2 used to only consider --sslproto=TLS1 as "mandatory
STARTTLS" unless sslcertck or sslfingerprint were given, now all
protocol versions will require STARTTLS.

This did not matter in the default install because sslcertck defaults
to on, but could permit fetchmail to continue with unencrypted
connections if --nosslcertck was in use.
---
 starttls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/starttls.c b/starttls.c
index 2df08cd9..b35f2970 100644
--- a/starttls.c
+++ b/starttls.c
@@ -29,7 +29,7 @@ int must_starttls(struct query *ctl) {
 #ifdef SSL_ENABLE
     return maybe_starttls(ctl)
 	&& (ctl->sslfingerprint || ctl->sslcertck
-		|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
+		|| (ctl->sslproto && ctl->sslproto[0]));
 #else
     (void)ctl;
     return 0;
-- 
cgit v1.2.3