From e87f96bd9730e2bdb407d0a9cca2a05ee0dabce5 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 23 Apr 2010 01:40:04 +0200 Subject: --sslcert{file|path} overrides default store, add environment var... If at least one of --sslcertfile and --sslcertpath is given, fetchmail skips loading the default OpenSSL X.509 trusted CA cert locations. If the environment variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS is set to a non-empty value, fetchmail will additionally load the default locations. The old FETCHMAIL_NO_DEFAULT_X509_PATHS variable was dropped. --- NEWS | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 1c2bb5da..6ed8d04c 100644 --- a/NEWS +++ b/NEWS @@ -67,9 +67,10 @@ fetchmail-6.3.17 (not yet released): * Fetchmail now supports a --sslcertfile option to specify a "CA bundle" file (a file that contains trusted CA certificates). Since these bundled CA files do not require c_rehash to be run, they are easier to use and immune to - OpenSSL library updates. Also see CHANGES below. -* Fetchmail now supports a FETCHMAIL_NO_DEFAULT_X509_PATHS environment variable - to defeat loading the default SSL CA certificate locations. Also see CHANGES. + OpenSSL library updates that affect the hash function. +* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS + environment variable to force loading the default SSL CA certificate + locations. # REGRESSION FIX * Fix string handling in rcfile scanner, which caused fetchmail to misparse a @@ -87,11 +88,6 @@ fetchmail-6.3.17 (not yet released): are now helpful pointers to --sslcertpath and c_rehash for "unable to get local issuer certificate" and self-signed certificates -- these usually hint to missing root signing CAs in the certs directory. -* Default locations: Fetchmail will now always load the SSL default trusted CA - certificate locations, unless the environmental variable - FETCHMAIL_NO_DEFAULT_X509_PATHS is set and non-empty. Fetchmail used to load - the default locations only if --sslcertpath was not given. - This is a migration aid for systems upgrading to OpenSSL 1.0.0. # DOCUMENTATION * Fix table of global option to read "set softbounce" where there used to be a -- cgit v1.2.3