From c72743cf6139d6906337ddeac964eb79f644097e Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 17 Jan 2015 01:15:31 +0100
Subject: TLS overhaul, bumping version to 6.4

Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.

This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.

It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page.  It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
---
 fetchmail-FAQ.html | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

(limited to 'fetchmail-FAQ.html')

diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 21173f7a..401f9a41 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -667,8 +667,8 @@ because there is not currently a standard way to do this; fetchmail
 also uses this method, so the two will interoperate happily. They
 better, because this is how Craig gets his mail ;-)</p>
 
-<p>Finally, you can use <a href="#K5">SSL</a> for complete
-end-to-end encryption if you have an SSL-enabled mailserver.</p>
+<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
+end-to-end encryption if you have a TLS-enabled mailserver.</p>
 
 <h2><a id="G11" name="G11">G11. Is any special configuration needed
 to use a dynamic IP address?</a></h2>
@@ -2120,7 +2120,7 @@ SSL?</a></h2>
 
 <p>You'll need to have the <a
 href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
-should at least be version 0.9.7.
+should at least be version 0.9.8, with 1.0.1 preferred.
 Configure with --with-ssl. If you have the OpenSSL libraries
 installed in commonly-used default locations, this will
 suffice. If you have them installed in a non-default location,
@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
 <p>Fetchmail binaries built this way support <code>ssl</code>,
 <code>sslkey</code>, and <code>sslcert</code> options that control
 SSL encryption, and will automatically use <code>tls</code> if the
-server offers it. You will need to have an SSL-enabled mailserver to
+server offers it. You will need to have an SSL/TLS-enabled mailserver to
 use these options. See the manual page for details and some words
 of care on the limited security provided.</p>
 
@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s_client -connect %h:%p"
         protocol imap username MYUSERNAME password MYPASSWORD
 </pre>
 
-<p>You should note that SSL is only secure against a "man-in-the-middle"
-attack if the client is able to verify that the peer's public key is the
-correct one, and has not been substituted by an attacker. fetchmail can do
-this in one of two ways: by verifying the SSL certificate, or by checking
-the fingerprint of the peer's public key.</p>
+<p>You should note that SSL or TLS are only secure against a
+"man-in-the-middle" attack if the client is able to verify that the
+peer's public key is the correct one, and has not been substituted by an
+attacker. fetchmail can do this in one of two ways: by verifying the SSL
+certificate, or by checking the fingerprint of the peer's public
+key.</p>
 
-<p>There are three parts to SSL certificate verification: checking that the
+<p>There are three parts to TLS certificate verification: checking that the
 domain name in the certificate matches the hostname you asked to connect to;
 checking that the certificate expiry date has not passed; and checking that
 the certificate has been signed by a known Certificate Authority (CA). This
@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiation if SSL was enabled at compile
 time.  This can however cause problems if the upstream didn't configure
 his certificates properly.</p>
 
-<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
-negotiation, add this option:</p>
+<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
+STLS or STARTTLS negotiation, add this option:</p>
+<pre>sslproto ''</pre>
+
+<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
+negotiation where the above does not work, try this option:</p>
 
 <pre>sslproto ssl23</pre>
 
-- 
cgit v1.2.3