From 87b354e857e98da2f8b60d09e7e0d174a2f1bda9 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 7 Aug 2006 08:51:57 +0000 Subject: Log opportunistic TLS upgrades in verbose mode. svn path=/branches/BRANCH_6-3/; revision=4881 --- NEWS | 2 ++ TODO.txt | 2 -- fetchmail.man | 8 +++++--- imap.c | 9 +++++++-- pop3.c | 18 +++++++++++------- 5 files changed, 25 insertions(+), 14 deletions(-) diff --git a/NEWS b/NEWS index f278b29a..f717d1c8 100644 --- a/NEWS +++ b/NEWS @@ -104,6 +104,8 @@ fetchmail 6.3.5 (not yet released): * Keep syslog output at one line per message (this works if no errors occur). * Track getaddrinfo() results to properly free them after timeouts, reported by Uli Zappe. This MIGHT fix Debian Bug#294547 and Bug#377135. +* Fetchmail in verbose mode now logs if it opportunistically upgrades a POP3 + or IMAP connection to TLS security with STLS/STARTTLS. # CHANGES: * Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes diff --git a/TODO.txt b/TODO.txt index f8993ce4..fed38769 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,5 +1,3 @@ -- log/print warning if fetchmail uses TLS without configuration, - to avoid users being surprised (see Debian Bug#294547). - allow full user@domain mappings in multidrop matching (is this perhaps a 6.4.0 issue?) see Andrew Longland-Meech's multidrop problems on fetchmail-users diff --git a/fetchmail.man b/fetchmail.man index 648f7e1b..adab35cc 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -401,12 +401,14 @@ server. This can cause some complications in daemon mode. .TP .B \-\-sslproto (Keyword: sslproto) -Forces an SSL protocol. Possible values are '\fBssl2\fR', +Forces an SSL or TLS protocol. Possible values are '\fBssl2\fR', \&'\fBssl3\fR', '\fBssl23\fR', and '\fBtls1\fR'. Try this if the default handshake does not work for your server. To defeat automatic TLSv1 negotiation when the server advertises STARTTLS or STLS, use \fB''\fR or -\&'\fBssl23\fR'. The default is to try appropriate protocols depending -on context. +\&'\fBssl23\fR'. This option, even if the argument is the empty string, +will also suppress the diagnostic 'SERVER: opportunistic upgrade to +TLS.' message in verbose mode. The default is to try appropriate +protocols depending on context. .TP .B \-\-sslcertck (Keyword: sslcertck) diff --git a/imap.c b/imap.c index 5fe6bc10..d1ee1c2b 100644 --- a/imap.c +++ b/imap.c @@ -391,7 +391,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) * not other SSL protocols */ if (ok == PS_SUCCESS && - SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1) + SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, + ctl->sslcertpath,ctl->sslfingerprint, + realhost,ctl->server.pollname) == -1) { if (!ctl->sslproto && !ctl->wehaveauthed) { @@ -402,7 +404,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) report(stderr, GT_("SSL connection failed.\n")); return PS_SOCKET; - } + } else { + if (outlevel >= O_VERBOSE && !ctl->sslproto) + report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost); + } did_stls = TRUE; /* diff --git a/pop3.c b/pop3.c index fd5b1304..e32103d7 100644 --- a/pop3.c +++ b/pop3.c @@ -449,21 +449,25 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) ok = gen_transact(sock, "STLS"); /* We use "tls1" instead of ctl->sslproto, as we want STLS, - * not other SSL protocols - */ + * not other SSL protocols */ if (ok == PS_SUCCESS && - SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1) + SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, + ctl->sslcertpath,ctl->sslfingerprint, + realhost,ctl->server.pollname) == -1) { if (!ctl->sslproto && !ctl->wehaveauthed) { ctl->sslproto = xstrdup(""); - /* repoll immediately */ - return(PS_REPOLL); + /* repoll immediately without TLS */ + return PS_REPOLL; } report(stderr, GT_("SSL connection failed.\n")); - return PS_SOCKET; - } + return PS_SOCKET; + } else { + if (outlevel >= O_VERBOSE && !ctl->sslproto) + report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost); + } did_stls = TRUE; /* -- cgit v1.2.3