From fb1adf19fff231ee8f55c15cf7866ca5319043db Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 29 Nov 2006 22:05:16 +0000 Subject: Detail on missing CAPA probes. svn path=/branches/BRANCH_6-3/; revision=4978 --- NEWS | 4 +++- fetchmail-SA-2006-02.txt | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 8cedb0ac..fc36a49f 100644 --- a/NEWS +++ b/NEWS @@ -51,7 +51,9 @@ fetchmail 6.3.6 (not yet released): - Fetchmail breaks the connection if the TLS negotiation (or verification, if requested) fails with sslproto 'tls1' (also applies if this is implicit). - - POP3 connections ignored STLS altogether in many circumstances. + - POP3 connections ignored STLS altogether in many circumstances, because + fetchmail did not probe server capabilities in all situations where it + should have done that. - POP3 connections could retry USER/PASS authentication even if strong challenge-response schemes such as CRAM-MD5 had explicitly been requested, diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt index 3d7f2387..1704512f 100644 --- a/fetchmail-SA-2006-02.txt +++ b/fetchmail-SA-2006-02.txt @@ -58,8 +58,9 @@ V2. Even with "sslproto tls1" in the config, fetches would go ahead V3. POP3 fetches could completely ignore all TLS options whether available or not because it didn't reliably issue CAPA before - checking for STLS support, and it would only try STLS if it had seen - the server's advertisement. + checking for STLS support - but CAPA is a requisite for STLS. + Whether or not CAPAbilities were probed, depended on the "auth" + option. V4. POP3 could fall back to using plain text passwords, even if strong authentication had been configured. -- cgit v1.2.3