From 8fcffe46b231ddcc0305a36bf7f9aaf27c7e1a50 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 20 Nov 2021 14:40:55 +0100 Subject: OpenSSL: bump minimum required version to 1.0.2f ...in order to safely remove the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. --- NEWS | 6 +++++- README.SSL | 2 +- README.packaging | 2 +- socket.c | 6 +++--- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 85942474..f75000ce 100644 --- a/NEWS +++ b/NEWS @@ -92,10 +92,14 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.25 (not yet released): -# CHANGES +# BREAKING CHANGES * Since distributions continue patching for LibreSSL use, which cannot be linked legally, block out LibreSSL in configure.ac and socket.c, and refer to COPYING. +* Bump OpenSSL version requirement to 1.0.2f in order to safely remove + the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix + release, and 1.0.2u is publicly available from + https://www.openssl.org/source/old/1.0.2/ -------------------------------------------------------------------------------- fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): diff --git a/README.SSL b/README.SSL index 425f574e..519e986f 100644 --- a/README.SSL +++ b/README.SSL @@ -31,7 +31,7 @@ Quickstart Use an up-to-date release of OpenSSL v1.1.1 or v3.0.0 or newer, so as to get TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and -fetchmail rejects versions before v1.0.2 and warns about versions before +fetchmail rejects versions before v1.0.2f and warns about versions before v1.1.1. In all four examples below, the (--)sslcertck has become redundant diff --git a/README.packaging b/README.packaging index 819d0613..c2c798a6 100644 --- a/README.packaging +++ b/README.packaging @@ -8,7 +8,7 @@ Greetings, dear packager! The bullet points below mention a few useful hints for package(r)s: -- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2 for now +- Fetchmail requires OpenSSL v1.1.1. Fetchmail 6.4 tolerates 1.0.2f for now but assumes the distributor backports security fixes for it. - Fetchmail now uses automake and supports all common automake targets and diff --git a/socket.c b/socket.c index 8ee88ec2..1d022689 100644 --- a/socket.c +++ b/socket.c @@ -406,7 +406,7 @@ va_dcl { #include #include -#define fm_MIN_OPENSSL_VER 0x1000200fL +#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ #ifdef LIBRESSL_VERSION_NUMBER #error "FAILED - LibreSSL cannot be used legally, for lack of GPL clause 2b exception, see COPYING." @@ -417,7 +417,7 @@ va_dcl { #endif #if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER -#error Your OpenSSL version must be at least 1.0.2 release. Older OpenSSL versions are unsupported. +#error Your OpenSSL version must be at least 1.0.2f release. Older OpenSSL versions are unsupported. #else /* #define __fm_ossl_ver(x) #x @@ -1079,7 +1079,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck struct stat randstat; int i; int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - long sslopts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; + long sslopts = SSL_OP_ALL; int ssle_connect = 0; long ver; -- cgit v1.2.3