From 6adcb0cc60e672ea36e3044451c9683b2eb49d64 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 15 Nov 2015 12:07:02 +0100
Subject: Enable --sslcertck by default.

There are no sslcertck (rcfile) and --nosslcertck (command line) options
that can be combined with [--]sslfingerprint if so desired.

The documentation is deliberately not updated everywhere, so that
recommendations to use --sslcertck stand, this is for the benefit of
users that read fetchmail v6.4.0 manuals to configure a fetchmail v6.3.X
implementation.
---
 options.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'options.c')

diff --git a/options.c b/options.c
index d53044fc..15928b34 100644
--- a/options.c
+++ b/options.c
@@ -45,6 +45,7 @@ enum {
     LA_SSLCERT,
     LA_SSLPROTO,
     LA_SSLCERTCK,
+    LA_NOSSLCERTCK,
     LA_SSLCERTFILE,
     LA_SSLCERTPATH,
     LA_SSLCOMMONNAME,
@@ -132,6 +133,7 @@ static const struct option longoptions[] = {
   {"sslcert",	required_argument, (int *) 0, LA_SSLCERT },
   {"sslproto",	 required_argument, (int *) 0, LA_SSLPROTO },
   {"sslcertck", no_argument,	   (int *) 0, LA_SSLCERTCK },
+  {"nosslcertck", no_argument,	   (int *) 0, LA_NOSSLCERTCK },
   {"sslcertfile",   required_argument, (int *) 0, LA_SSLCERTFILE },
   {"sslcertpath",   required_argument, (int *) 0, LA_SSLCERTPATH },
   {"sslcommonname",    required_argument, (int *) 0, LA_SSLCOMMONNAME },
@@ -562,6 +564,10 @@ int parsecmdline (int argc /** argument count */,
 	    ctl->sslcertck = FLAG_TRUE;
 	    break;
 
+	case LA_NOSSLCERTCK:
+	    ctl->sslcertck = FLAG_FALSE;
+	    break;
+
 	case LA_SSLCERTFILE:
 	    ctl->sslcertfile = prependdir(optarg, currentwd);
 	    break;
@@ -647,6 +653,7 @@ int parsecmdline (int argc /** argument count */,
 	P(GT_("      --sslkey      ssl private key file\n"));
 	P(GT_("      --sslcert     ssl client certificate\n"));
 	P(GT_("      --sslcertck   do strict server certificate check (recommended)\n"));
+	P(GT_("      --nosslcertck skip strict server certificate check (insecure)\n"));
 	P(GT_("      --sslcertfile path to trusted-CA ssl certificate file\n"));
 	P(GT_("      --sslcertpath path to trusted-CA ssl certificate directory\n"));
 	P(GT_("      --sslcommonname  expect this CommonName from server (discouraged)\n"));
-- 
cgit v1.2.3