From f827307079714ea97e483942b25e3f6ab37cde8d Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 4 Jan 2023 11:46:02 +0100 Subject: Bump TLS provider library requirements again. --- INSTALL | 6 ++++-- NEWS | 3 ++- README.SSL | 8 ++++---- socket.c | 9 ++++++--- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/INSTALL b/INSTALL index 74a15823..5554cc83 100644 --- a/INSTALL +++ b/INSTALL @@ -29,10 +29,12 @@ This affects, f.i., LibreSSL, unless it is part of the operating system (f. i., on OpenBSD). However, LibreSSL diverges from OpenSSL and is not supported by the fetchmail maintainer. -Since 6.4.27, there is experimental support for wolfSSL 5.1.1 or newer, +Since 6.4.27, there has been experimental support for wolfSSL 5.1.1 or newer, which is under GNU GPL v2 or later license and hence may be easier for a consistent GPLv2+ licensing of fetchmail. This support requires a C99 -or newer compiler. +or newer compiler, and requires up-to-date wolfSSL versions as wolfSSL keeps +fixing vulnerabilities in newer version, so new fetchmail releases will +consistently raise the bar on wolfSSL version. Choose between OpenSSL or wolfSSL. diff --git a/NEWS b/NEWS index abb4d2bb..cc75fef4 100644 --- a/NEWS +++ b/NEWS @@ -104,7 +104,8 @@ fetchmail-6.4.35 (not yet released): # BREAKING CHANGES: * Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7, - and rejects wolfSSL older than 5.4.0. + and rejects wolfSSL older than 5.5.0. + -------------------------------------------------------------------------------- fetchmail-6.4.34 (released 2022-10-15, 31701 LoC): diff --git a/README.SSL b/README.SSL index bcc2070a..7f9055c1 100644 --- a/README.SSL +++ b/README.SSL @@ -21,7 +21,7 @@ below and in the manual). fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only. -Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.4.0 or newer. +Fetchmail 6.4.35 supports OpenSSL 3.0.7 and 1.1.1s and WolfSSL 5.5.3 or newer. Note that WolfSSL 5 is a bit less flexible about its trust store, see INSTALL chapter 2.1 for details. @@ -29,16 +29,16 @@ Note that many messages printed by fetchmail will print "OpenSSL" even if wolfSSL is being used. Reason is that fetchmail uses wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API. - -- Matthias Andree, 2022-11-01 + -- Matthias Andree, 2023-01-04 Quickstart ---------- -Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.4 or +Use an up-to-date release of OpenSSL v1.1.1 or v3.0 or wolfSSL 5.5 or newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions are unsupported upstream, and fetchmail rejects versions before v1.0.2f and -warns about versions before v1.1.1. +warns about versions before v1.1.1q or 3.0.7. wolfSSL needs to be configured with --enable-opensslall --enable-harden, else some required OpenSSL APIs are missing, especially for SNI (server name diff --git a/socket.c b/socket.c index 67fdea57..e2058eee 100644 --- a/socket.c +++ b/socket.c @@ -2,7 +2,7 @@ * socket.c -- socket library functions * * Copyright 1998 - 2004 by Eric S. Raymond. - * Copyright 2004 - 2020 by Matthias Andree. + * Copyright 2004 - 2023 by Matthias Andree. * Contributions by Alexander Bluhm, Earl Chew, John Beck. * For license terms, see the file COPYING in this directory. @@ -414,8 +414,11 @@ va_dcl { #endif #ifdef USING_WOLFSSL -# if LIBWOLFSSL_VERSION_HEX < 0x05004000L -# error "FAILED - wolfSSL MUST be at least version 5.4.0." +# if LIBWOLFSSL_VERSION_HEX < 0x05005001L +# error "FAILED - wolfSSL MUST be at least version 5.5.1. You have " LIBWOLFSSL_VERSION_STRING "." +# endif +# if LIBWOLFSSL_VERSION_HEX < 0x05005003L +# pragma message "WARNING - wolfSSL SHOULD be at least version 5.5.3. You have " LIBWOLFSSL_VERSION_STRING "." # endif #else /* !USING_WOLFSSL */ #define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */ -- cgit v1.2.3