From e6340bf8226c37fc35d41e69348714cba1d7baf5 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 16 Jan 2015 21:20:31 +0100 Subject: Also recognize OPENSSL_NO_SSLx. These are the macros OpenSSL defines when configured with no-ssl2 or no-ssl3, the actual macro names are OPENSSL_NO_SSL2 and OPENSSL_NO_SSL3. --- NEWS | 7 +++++-- fetchmail.c | 10 +++++++--- socket.c | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 8e27910c..2c9acd7c 100644 --- a/NEWS +++ b/NEWS @@ -73,10 +73,13 @@ fetchmail-6.3.27 (not yet released, if ever): * Point to --idle from GENERAL OPERATION to clarify --idle and multiple mailboxes do not mix. In response to Jeremy Chadwick's trouble 2014-11-19, fetchmail-users mailing list. -* Fix SSL-enabled build on systems that do not declare SSLv3_client_method(). - Related to Debian Bug#775255. +* Fix SSL-enabled build on systems that do not declare SSLv3_client_method(), + or that #define OPENSSL_NO_SSL3 inside #include , the canonical + way that OpenSSL communicates this. Related to Debian Bug#775255. * Version report lists -SSLv3 on +SSL builds that omit SSLv3_client_method(). * Version report lists -SSLv2 on +SSL builds that omit SSLv2_client_method(). +* Also recognize SSLv2 as unsupported if #include + defines the OPENSSL_NO_SSL2 macro. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the diff --git a/fetchmail.c b/fetchmail.c index be0e9abd..d6452e08 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -54,6 +54,10 @@ #define ENETUNREACH 128 /* Interactive doesn't know this */ #endif /* ENETUNREACH */ +#ifdef SSL_ENABLE +#include /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ +#endif + /* prototypes for internal functions */ static int load_params(int, char **, int); static void dump_params (struct runctl *runp, struct query *, flag implicit); @@ -262,13 +266,13 @@ int main(int argc, char **argv) #endif /* ODMR_ENABLE */ #ifdef SSL_ENABLE "+SSL" -#endif -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 == 0 +#if (HAVE_DECL_SSLV2_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL2) "-SSLv2" #endif -#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0 +#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) "-SSLv3" #endif +#endif #ifdef OPIE_ENABLE "+OPIE" #endif /* OPIE_ENABLE */ diff --git a/socket.c b/socket.c index 91a21c23..732ae054 100644 --- a/socket.c +++ b/socket.c @@ -907,14 +907,14 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck _ssl_context[sock] = NULL; if(myproto) { if(!strcasecmp("ssl2",myproto)) { -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 +#if (HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0) && (0 == OPENSSL_NO_SSL2 + 0) _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); #else report(stderr, GT_("Your OpenSSL version does not support SSLv2.\n")); return -1; #endif } else if(!strcasecmp("ssl3",myproto)) { -#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0 +#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0) && (0 == OPENSSL_NO_SSL3 + 0) _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); #else report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); -- cgit v1.2.3