Omit warning of insecure connection if --sslfingerprint matches.

Fixes Debian Bug#580796 reported by Roland Stigge.

diff --git a/NEWS b/NEWS
index 26040697d4ae7e6b3e7f07971f119b78b9e0fd48..b0269ff6dd5fd51248a02deb12cbdfbd6306e4a1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -52,6 +52,28 @@ removed from a 6.4.0 or newer release.)
 
 --------------------------------------------------------------------------------
 
+fetchmail-6.3.18 (not yet released):
+
+# BUG FIXES
+* Fetchmail would warn about insecure SSL/TLS connections even if a matching
+  --sslfingerprint was specified. This is an omission from a SSL usability
+  change made in 6.3.17.  Fixes Debian Bug#580796 reported by Roland Stigge.
+
+# KNOWN BUGS AND WORKAROUNDS:
+  (this section floats upwards through the NEWS file so it stays with the
+  current release information - however, it was stuck with 6.3.8 for a while)
+* fetchmail does not handle messages without Message-ID header well
+  (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+  64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
+  fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
+  so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail does not track pending deletes over crashes
+* the command line interface is sometimes a bit stubborn, for instance,
+  fetchmail -s doesn't work with a daemon running
+
+
 fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
 
 # SECURITY FIX
@@ -92,6 +114,8 @@ fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
 * Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
 * Memory allocation failures will now cause abnormal program abort (SIGABRT),
   no longer an exit with unspecified code.
+* Print a warning if certificate verification failed and the user did not
+  specify --sslcertck.
 
 # DOCUMENTATION
 * Fix table of global option to read "set softbounce" where there used to be a
@@ -112,20 +136,6 @@ fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
   [sk]    Slovak (Marcel Telka)
   [vi]    Vietnamese (Clytie Siddall)
 
-# KNOWN BUGS AND WORKAROUNDS:
-  (this section floats upwards through the NEWS file so it stays with the
-  current release information - however, it was stuck with 6.3.8 for a while)
-* fetchmail does not handle messages without Message-ID header well
-  (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
-  64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
-  fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
-  so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail does not track pending deletes over crashes
-* the command line interface is sometimes a bit stubborn, for instance,
-  fetchmail -s doesn't work with a daemon running
-
 
 fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):
 

diff --git a/socket.c b/socket.c
index a3adfd804ee0178e0d328fa59123caae13259bed..2ebdfc6a804d2e02d9858733db5fe7f8a7c46df8 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -1009,8 +1009,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
                }
        }
 
-       if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK
-|| !_verify_ok)) {
+       if (!certck && !fingerprint &&
+               (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) {
                report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n"));
        }