X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=socket.c;h=3e4a3acd68390b721a72597e020704f709519ab7;hb=1506acc082f2f6f39c0028484cbb9378def68967;hp=3bf23fa66f2fed89c4f04e10f62ada0d198a0709;hpb=68accfa42c00af928e2081b8ca9b47728eb228ae;p=~andy%2Ffetchmail diff --git a/socket.c b/socket.c index 3bf23fa6..3e4a3acd 100644 --- a/socket.c +++ b/socket.c @@ -200,31 +200,6 @@ static int handle_plugin(const char *host, } #endif /* HAVE_SOCKETPAIR */ -static int setsocktimeout(int sock, int which, int timeout) { - struct timeval tv; - int rc; - - tv.tv_sec = timeout; - tv.tv_usec = 0; - rc = setsockopt(sock, SOL_SOCKET, which, &tv, sizeof(tv)); - if (rc) { - report(stderr, GT_("setsockopt(%d, SOL_SOCKET) failed: %s"), sock, strerror(errno)); - } - return rc; -} - -/** Configure socket options such as send/receive timeout at the socket - * level, to avoid network-induced stalls. - */ -int SockTimeout(int sock, int timeout) -{ - int err = 0; - - if (setsocktimeout(sock, SO_RCVTIMEO, timeout)) err = 1; - if (setsocktimeout(sock, SO_SNDTIMEO, timeout)) err = 1; - return err; -} - /** Set socket to SO_KEEPALIVE. \return 0 for success. */ int SockKeepalive(int sock) { int keepalive = 1; @@ -325,7 +300,6 @@ int SockOpen(const char *host, const char *service, continue; } - SockTimeout(i, mytimeout); SockKeepalive(i); /* Save socket descriptor. @@ -628,7 +602,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) if (outlevel >= O_VERBOSE) { if (depth == 0 && SSLverbose) - report(stderr, GT_("Server certificate:\n")); + report(stdout, GT_("Server certificate:\n")); else { if (_firstrun) { _firstrun = 0; @@ -715,7 +689,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) } } } - sk_GENERAL_NAME_free(gens); + GENERAL_NAMES_free(gens); } if (name_match(p1, p2)) { matched = 1; @@ -870,6 +844,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck { struct stat randstat; int i; + long sslopts = SSL_OP_ALL; SSL_load_error_strings(); SSL_library_init(); @@ -899,14 +874,21 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck /* Make sure a connection referring to an older context is not left */ _ssl_context[sock] = NULL; if(myproto) { - if(!strcasecmp("ssl3",myproto)) { + if(!strcasecmp("ssl2",myproto)) { +#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 + _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); +#else + report(stderr, GT_("Your operating system does not support SSLv2.\n")); + return -1; +#endif + } else if(!strcasecmp("ssl3",myproto)) { _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if (!strcasecmp("ssl23",myproto)) { myproto = NULL; } else { - fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto); + fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); myproto = NULL; } } @@ -918,7 +900,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck return(-1); } - SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2); + { + char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE"); + if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp)) + sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + + SSL_CTX_set_options(_ctx[sock], sslopts); if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);