From 8363b7b7b9f7b4fdeb0e804c4708f114e09c85d2 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Thu, 26 Aug 2021 23:53:14 +0200
Subject: Add CVE ID; revise TLS docs & fetchmail-SA-2021-02

---
 README.SSL | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

(limited to 'README.SSL')

diff --git a/README.SSL b/README.SSL
index ba3de41a..cf07d05e 100644
--- a/README.SSL
+++ b/README.SSL
@@ -18,9 +18,6 @@ POP3/IMAP4) or is totally SSL-wrapped on a separate port.
 
 Also, fetchmail 6.4.0 and newer releases changed some of the semantics
 as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
-If your server does not support this, you may have to specify --sslproto
-ssl3+.  This is in order to prefer the newer TLS protocols, because SSLv2
-and v3 are broken.
 
 Finally, due to other defaults changing, and several mail services not
 supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS,
@@ -40,28 +37,37 @@ In all four examples below, the (--)sslcertck has become redundant
 since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
 for a while, we'll leave it here to be safe.
 
-For use of SSL or TLS with in-band negotiation on the regular service's port, 
-i. e. with STLS or STARTTLS, use these command line options
+For use of SSL or TLS on a separate port (recommended), called Implicit TLS,
+the whole TCP connection is SSL-encrypted from the very beginning (SSL- or 
+TLS-wrapped), use these command line options (in the rcfile,
+omit all leading "--"):
 
-    --sslproto auto --sslcertck
+    --ssl --sslproto tls1.2+ --sslcertck
 
 or these options in the rcfile (after the respective "user"... options)
 
-      sslproto auto   sslcertck
-
+      ssl   sslproto tls1.2+   sslcertck
 
-Note that some services do not offer STLS or STARTTLS, but most do
-offer SSL or TLS on a separate, dedicated, "secure" port:
 
-For use of SSL or TLS on a separate port, if the whole TCP connection is 
-SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
-command line options (in the rcfile, omit all leading "--"):
+For use of SSL or TLS with in-band negotiation on the regular service's port, 
+i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or 
+ssl):
 
-    --ssl --sslproto auto --sslcertck
+    --sslproto tls1.2+ --sslcertck
 
 or these options in the rcfile (after the respective "user"... options)
 
-      ssl   sslproto auto   sslcertck
+      sslproto tls1.2+   sslcertck
+
+
+With up to date OpenSSL libraries (1.1.1 or newer), and with recent
+software on the server, you can alternatively configure tls1.3+.
+
+For some older services, you may need to use tls1.1+ or tls1+ for compatibility 
+instead of the tls1.2+ above.  In such situations, you should ask the service 
+provider or server operator to upgrade their TLS implementation such that
+TLS v1.3 be supported, and once that happens, update your fetchmail configuration
+to tls1.3+ or tls1.2+.
 
 
 Background and use (long version :-))
-- 
cgit v1.2.3