and always load the default X.509 trust stores, unless the latter is set.
due to insufficient buffer size allocation. It would then repeatedly reallocate
a larger buffer and fail formatting again. See fetchmail-SA-2010-02.txt.
+# FEATURES
+* Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
+ file (a file that contains trusted CA certificates). Since these bundled CA
+ files do not require c_rehash to be run, they are easier to use and immune to
+ OpenSSL library updates. Also see CHANGES below.
+* Fetchmail now supports a FETCHMAIL_NO_DEFAULT_X509_PATHS environment variable
+ to defeat loading the default SSL CA certificate locations. Also see CHANGES.
+
# REGRESSION FIX
* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
run control file in certain circumstances. Fixes BerliOS bug #14257.
are now helpful pointers to --sslcertpath and c_rehash for "unable to get
local issuer certificate" and self-signed certificates -- these usually hint
to missing root signing CAs in the certs directory.
+* Default locations: Fetchmail will now always load the SSL default trusted CA
+ certificate locations, unless the environmental variable
+ FETCHMAIL_NO_DEFAULT_X509_PATHS is set and non-empty. Fetchmail used to load
+ the default locations only if --sslcertpath was not given.
+ This is a migration aid for systems upgrading to OpenSSL 1.0.0.
# DOCUMENTATION
* Fix table of global option to read "set softbounce" where there used to be a
/* perform initial SSL handshake on open connection */
if (ctl->use_ssl &&
SSLOpen(mailserver_socket, ctl->sslcert, ctl->sslkey,
- ctl->sslproto, ctl->sslcertck, ctl->sslcertpath,
+ ctl->sslproto, ctl->sslcertck,
+ ctl->sslcertfile, ctl->sslcertpath,
ctl->sslfingerprint, ctl->sslcommonname ?
ctl->sslcommonname : realhost, ctl->server.pollname,
&ctl->remotename) == -1)
FLAG_MERGE(sslcert);
FLAG_MERGE(sslproto);
FLAG_MERGE(sslcertck);
+ FLAG_MERGE(sslcertfile);
FLAG_MERGE(sslcertpath);
FLAG_MERGE(sslcommonname);
FLAG_MERGE(sslfingerprint);
printf(GT_(" SSL protocol: %s.\n"), ctl->sslproto);
if (ctl->sslcertck) {
printf(GT_(" SSL server certificate checking enabled.\n"));
- if (ctl->sslcertpath != NULL)
- printf(GT_(" SSL trusted certificate directory: %s\n"), ctl->sslcertpath);
}
+ if (ctl->sslcertfile != NULL)
+ printf(GT_(" SSL trusted certificate file: %s\n"), ctl->sslcertfile);
+ if (ctl->sslcertpath != NULL)
+ printf(GT_(" SSL trusted certificate directory: %s\n"), ctl->sslcertpath);
if (ctl->sslcommonname != NULL)
printf(GT_(" SSL server CommonName: %s\n"), ctl->sslcommonname);
if (ctl->sslfingerprint != NULL)
char *sslcert; /* optional SSL certificate file */
char *sslproto; /** force transport protocol (ssl2|ssl3|ssl23|tls1) - if NULL,
use ssl23 for SSL and opportunistic tls1 for non-SSL connections. */
+ char *sslcertfile; /* Trusted certificate file for checking the server cert */
char *sslcertpath; /* Trusted certificate directory for checking the server cert */
flag sslcertck; /* Strictly check the server cert. */
char *sslcommonname; /* CommonName to expect from server */
.\" Load www macros to process .URL requests, this requires groff:
.mso www.tmac
.\"
-.TH fetchmail 1 "fetchmail 6.3.16" "fetchmail" "fetchmail reference manual"
+.TH fetchmail 1 "fetchmail 6.3.17-pre1" "fetchmail" "fetchmail reference manual"
.SH NAME
fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server
(Keyword: sslcertck)
.br
Causes fetchmail to strictly check the server certificate against a set of
-local trusted certificates (see the \fBsslcertpath\fP option). If the server
-certificate cannot be obtained or is not signed by one of the trusted ones
-(directly or indirectly), the SSL connection will fail, regardless of
-the \fBsslfingerprint\fP option.
+local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
+options). If the server certificate cannot be obtained or is not signed by one
+of the trusted ones (directly or indirectly), the SSL connection will fail,
+regardless of the \fBsslfingerprint\fP option.
.IP
Note that CRL (certificate revocation lists) are only supported in
OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
Note that this optional behavior may become default behavior in future
fetchmail versions.
.TP
+.B \-\-sslcertfile <file>
+(Keyword: sslcertfile, since v6.3.17)
+.br
+Sets the file fetchmail uses to look up local certificates. The default is
+empty. This can be given in addition to \fB\-\-sslcertpath\fP below, and
+certificates specified in \fB\-\-sslcertfile\fP will be processed before those
+in \fB\-\-sslcertpath\fP. The option can be used in addition to \fB\-\-sslcertpath\fP.
+.IP
+Note that fetchmail will always first load the default SSL trusted CA certificates file
+unless that is defeated by setting the environment variable
+.BR FETCHMAIL_NO_DEFAULT_X509_PATHS .
+.TP
.B \-\-sslcertpath <directory>
(Keyword: sslcertpath)
.br
need to use the \fBc_rehash\fP tool (which comes with OpenSSL in the tools/
subdirectory). Also, after OpenSSL upgrades, you may need to run
\fBc_rehash\fP; particularly when upgrading from 0.9.X to 1.0.0.
+.IP
+This can be given in addition to \fB\-\-sslcertfile\fP above, which see for
+precedence rules.
+.IP
+Note that fetchmail will also add the default SSL trusted CA certificates directory
+first unless defeated by setting the environment variable
+.BR FETCHMAIL_NO_DEFAULT_X509_PATHS .
.TP
.B \-\-sslcommonname <common name>
(Keyword: sslcommonname; since v6.3.9)
Connect to server over the specified base protocol using SSL encryption
T}
sslcert \& \& T{
-Specify file for client side public SSL certificate
+Specify file for \fBclient side\fP public SSL certificate
+T}
+sslcertfile \& \& T{
+Specify file with trusted CA certificates
+T}
+sslcertpath \& \& T{
+Specify c_rehash-ed directory with trusted CA certificates.
T}
sslkey \& \& T{
-Specify file for client side private SSL key
+Specify file for \fBclient side\fP private SSL key
T}
sslproto \& \& T{
Force ssl protocol for connection
.SH ENVIRONMENT
.B FETCHMAILUSER:
-If the FETCHMAILUSER variable is set, it is used as the name of the
+If this environment variable is set, it is used as the name of the
calling user (default local name) for purposes such as mailing error
notifications. Otherwise, if either the LOGNAME or USER variable is
correctly set (e.g. the corresponding UID matches the session user ID)
multiple names per userid gracefully).
.B FETCHMAILHOME:
-If the environment variable FETCHMAILHOME is set to a valid and
+If this environment variable is set to a valid and
existing directory name, fetchmail will read $FETCHMAILHOME/fetchmailrc
(the dot is missing in this case), $FETCHMAILHOME/.fetchids and
$FETCHMAILHOME/.fetchmail.pid rather than from the user's home
directory. The .netrc file is always looked for in the the invoking
user's home directory regardless of FETCHMAILHOME's setting.
+.B FETCHMAIL_NO_DEFAULT_X509_PATHS
+(since v6.3.17):
+If this environment variable is set and not empty, fetchmail will NOT load the
+default X.509 trusted certificate locations for SSL/TLS CA certificates.
+Default (if variable unset or empty): load certificate locations. This is
+rarely necessary outside testing. It might be useful in conjunction with
+\fB\-\-sslcertfile\fP and \fB\-\-sslcertpath\fP in case there are broken
+certificates in the system directories and the user has no administrator
+privileges to remedy the problem.
+
.B HOME_ETC:
If the HOME_ETC variable is set, fetchmail will read
$HOME_ETC/.fetchmailrc instead of ~/.fetchmailrc.
* (see below). */
if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
&& SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
- ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
ctl->server.pollname, &ctl->remotename) != -1)
{
/*
LA_SSLCERT,
LA_SSLPROTO,
LA_SSLCERTCK,
+ LA_SSLCERTFILE,
LA_SSLCERTPATH,
LA_SSLCOMMONNAME,
LA_SSLFINGERPRINT,
{"sslcert", required_argument, (int *) 0, LA_SSLCERT },
{"sslproto", required_argument, (int *) 0, LA_SSLPROTO },
{"sslcertck", no_argument, (int *) 0, LA_SSLCERTCK },
+ {"sslcertfile", required_argument, (int *) 0, LA_SSLCERTFILE },
{"sslcertpath", required_argument, (int *) 0, LA_SSLCERTPATH },
{"sslcommonname", required_argument, (int *) 0, LA_SSLCOMMONNAME },
{"sslfingerprint", required_argument, (int *) 0, LA_SSLFINGERPRINT },
ctl->sslcertck = FLAG_TRUE;
break;
+ case LA_SSLCERTFILE:
+ ctl->sslcertfile = prependdir(optarg, currentwd);
+ break;
+
case LA_SSLCERTPATH:
ctl->sslcertpath = prependdir(optarg, currentwd);
break;
P(GT_(" --sslkey ssl private key file\n"));
P(GT_(" --sslcert ssl client certificate\n"));
P(GT_(" --sslcertck do strict server certificate check (recommended)\n"));
- P(GT_(" --sslcertpath path to ssl certificates\n"));
+ P(GT_(" --sslcertfile path to trusted-CA ssl certificate file\n"));
+ P(GT_(" --sslcertpath path to trusted-CA ssl certificate directory\n"));
P(GT_(" --sslcommonname expect this CommonName from server (discouraged)\n"));
P(GT_(" --sslfingerprint fingerprint that must match that of the server's cert.\n"));
P(GT_(" --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n"));
* (see below). */
if (gen_transact(sock, "STLS") == PS_SUCCESS
&& SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
- ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
ctl->server.pollname, &ctl->remotename) != -1)
{
/*
sslcert { return SSLCERT; }
sslproto { return SSLPROTO; }
sslcertck { return SSLCERTCK; }
+sslcertfile { return SSLCERTFILE; }
sslcertpath { return SSLCERTPATH; }
sslcommonname { return SSLCOMMONNAME; }
sslfingerprint { return SSLFINGERPRINT; }
%token NO KEEP FLUSH LIMITFLUSH FETCHALL REWRITE FORCECR STRIPCR PASS8BITS
%token DROPSTATUS DROPDELIVERED
%token DNS SERVICE PORT UIDL INTERVAL MIMEDECODE IDLE CHECKALIAS
-%token SSL SSLKEY SSLCERT SSLPROTO SSLCERTCK SSLCERTPATH SSLCOMMONNAME SSLFINGERPRINT
+%token SSL SSLKEY SSLCERT SSLPROTO SSLCERTCK SSLCERTFILE SSLCERTPATH SSLCOMMONNAME SSLFINGERPRINT
%token PRINCIPAL ESMTPNAME ESMTPPASSWORD
%token TRACEPOLLS
| SSLCERT STRING {current.sslcert = prependdir ($2, rcfiledir); free($2);}
| SSLPROTO STRING {current.sslproto = $2;}
| SSLCERTCK {current.sslcertck = FLAG_TRUE;}
+ | SSLCERTFILE STRING {current.sslcertfile = prependdir($2, rcfiledir); free($2);}
| SSLCERTPATH STRING {current.sslcertpath = prependdir($2, rcfiledir); free($2);}
| SSLCOMMONNAME STRING {current.sslcommonname = $2;}
| SSLFINGERPRINT STRING {current.sslfingerprint = $2;}
* uses SSL *ssl global variable, which is currently defined
* in this file
*/
-int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *certpath,
+int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck,
+ char *cacertfile, char *certpath,
char *fingerprint, char *servercname, char *label, char **remotename)
{
struct stat randstat;
* we provide the callback for output and possible fingerprint checks. */
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback);
}
- if (certpath)
- SSL_CTX_load_verify_locations(_ctx[sock], NULL, certpath);
- else
- SSL_CTX_set_default_verify_paths(_ctx[sock]);
+
+ {
+ char *t = getenv("FETCHMAIL_NO_DEFAULT_X509_PATHS");
+
+ if (t == NULL || t[0] == '\0')
+ SSL_CTX_set_default_verify_paths(_ctx[sock]);
+ }
+
+ if (certpath || cacertfile)
+ SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath);
_ssl_context[sock] = SSL_new(_ctx[sock]);
int UnixOpen(const char *path);
#ifdef SSL_ENABLE
-int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *certpath,
+int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *cacertfile, char *cacertpath,
char *fingerprint, char *servercname, char *label, char **remotename);
#endif /* SSL_ENABLE */
projects / ~andy / fetchmail / commitdiff