From 8eed56c21ca5bbdf3c00aaf74d807bcad8713ba9 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 13 Sep 2021 22:43:34 +0200 Subject: Note OpenSSL 3.0.0 support and licensing change. While here, rearrange COPYING a little bit and add a few paragraphs. Zeilen, --- COPYING | 27 +++++++++++++++++++++------ NEWS | 6 ++++++ README.SSL | 27 ++++++++++++++------------- 3 files changed, 41 insertions(+), 19 deletions(-) diff --git a/COPYING b/COPYING index c778d257..7499e673 100644 --- a/COPYING +++ b/COPYING @@ -5,12 +5,30 @@ Copyright (C) 2004 Matthias Andree, Eric S. Raymond, Copyright (C) 2005 - 2012 Sunil Shetye Copyright (C) 2005 - 2021 Matthias Andree -If enabled at configure/compile time, the following clause applies: +Some older portions not explicitly mentioned above are copyrighted by +Carl E. Harris, George M. Sipe, Graham Wilson, Matthias Andree and Sunil Shetye. + + +SSL library considerations +~~~~~~~~~~~~~~~~~~~~~~~~~~ +If linking against OpenSSL versions under dual OpenSSL/SSLeay license (f. i. +OpenSSL 1.1.1x and older) is enabled at configure/compile time, the +following clause applies: | This product includes software developed by the OpenSSL Project | for use in the OpenSSL Toolkit. (http://www.openssl.org/) -Some older portions not explicitly mentioned above are copyrighted by -Carl E. Harris, George M. Sipe, Graham Wilson, Matthias Andree and Sunil Shetye. +Specific permission is granted for the GPLed code in this distribution to +be linked to OpenSSL without invoking GPL clause 2(b). + +Note that this permission applies to OpenSSL, and OpenSSL only. + + +If linking against OpenSSL versions licensed under the Apache License version +2.0 (for instance, OpenSSL 3.0.x), note that this library is incompatible with +the GPLv2, so that effectively, distributors need to pull the "or any later version" +grant in the GPLv2 and apply the GPLv3 which is considered compatible with the +Apache License 2.0 by the FSF and the ASF. +~~~~~~~~~~~~~~~~~~~~~~~~~~ The support for SMB authentication is copyright by Andrew Tridgell and is under GPL version 2 (or any later version). Andrew Tridgell has @@ -56,9 +74,6 @@ Project, see the respective file headers for details. All other code in the distribution incorporates the copy of GPL version 2 below by reference. -Specific permission is granted for the GPLed code in this distribution to -be linked to OpenSSL without invoking GPL clause 2(b). - ------------------------------------------------------------------------------- GNU GENERAL PUBLIC LICENSE Version 2, June 1991 diff --git a/NEWS b/NEWS index 68fbeb8b..aa239b0d 100644 --- a/NEWS +++ b/NEWS @@ -92,6 +92,12 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.22 (not yet released): +# OPENSSL AND LICENSING NOTE: +* fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. + OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay + license to Apache License v2.0, which is considered incompatible with GPL v2 + by the FSF. For implications and details, see the file COPYING. + # SECURITY FIXES: * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends diff --git a/README.SSL b/README.SSL index cf07d05e..425f574e 100644 --- a/README.SSL +++ b/README.SSL @@ -12,30 +12,31 @@ setup. In case of troubles, mail the README.SSL-SERVER file to your ISP and have them check their server configuration against it. -Note that fetchmail up to version 6.3.26 confused SSL/TLS protocol levels with -whether a service needs to use in-band negotiation (STLS/STARTTLS for -POP3/IMAP4) or is totally SSL-wrapped on a separate port. +Note that fetchmail up to version 6.3.26 used to confuse SSL/TLS protocol +levels with whether a service needs to use in-band negotiation (STLS/STARTTLS +for POP3/IMAP4) or is totally SSL-wrapped ("Implicit TLS") on a separate port. +Fetchmail 6.4 seeks to fix that to some extent without breaking the +command-line and rcfile interfaces too much (see --ssl and --sslproto options, +below and in the manual). -Also, fetchmail 6.4.0 and newer releases changed some of the semantics -as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. +fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. -Finally, due to other defaults changing, and several mail services not -supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS, -you may need to add ssl or --ssl to your configuration. +Fetchmail 6.4.22 supports OpenSSL 3.0.0 and 1.1.1. - -- Matthias Andree, 2021-03-29 + -- Matthias Andree, 2021-09-09 Quickstart ---------- -Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get +Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and -fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1. +fetchmail rejects versions before v1.0.2 and warns about versions before +v1.1.1. In all four examples below, the (--)sslcertck has become redundant -since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation -for a while, we'll leave it here to be safe. +since fetchmail v6.4.0, but since fetchmail 6.3 releases will be in circulation +for too long, (--)sslcertck will remain in the examples below for now. For use of SSL or TLS on a separate port (recommended), called Implicit TLS, the whole TCP connection is SSL-encrypted from the very beginning (SSL- or -- cgit v1.2.3