* Be case-insensitive when looking for IMAP responses.
* Fix logout-after-idle-delivery bug (Sunil Shetye).
* Sunil Shetye's patch to bulletproof end-of-header detection.
+* Sunil's fix for the STARTTLS problem -- repoll if TLS nabdshake
+ fails. The attenmpt to set up STARTTLS can be suppressed with 'sslproto ""'.
fetchmail-6.1.2 (Thu Oct 31 11:41:02 EST 2002), 22135 lines:
break;
case P_IMAP:
#ifdef IMAP_ENABLE
- st = doIMAP(ctl);
+ do {
+ st = doIMAP(ctl);
+ } while (st == PS_REPOLL);
#else
report(stderr, GT_("IMAP support is not configured.\n"));
st = PS_PROTOCOL;
#ifdef SSL_ENABLE
if (ctl->use_ssl)
printf(GT_(" SSL encrypted sessions enabled.\n"));
+ if (ctl->sslproto)
+ printf(GT_(" SSL protocol: %s.\n"), ctl->sslproto);
if (ctl->sslcertck) {
printf(GT_(" SSL server certificate checking enabled.\n"));
if (ctl->sslcertpath != NULL)
/* apply for connection authorization */
{
int ok = 0;
+#ifdef SSL_ENABLE
+ flag did_stls = FALSE;
+#endif /* SSL_ENABLE */
/* probe to see if we're running IMAP4 and can use RFC822.PEEK */
capabilities[0] = '\0';
#endif /* KERBEROS_V4 */
#ifdef SSL_ENABLE
- if ((ctl->server.authenticate == A_ANY)
+ if ((!ctl->sslproto || !strcmp(ctl->sslproto,"tls1"))
&& !ctl->use_ssl
&& strstr(capabilities, "STARTTLS"))
{
*/
if (SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
{
+ if (!ctl->sslproto && !ctl->wehaveauthed)
+ {
+ ctl->sslproto = xstrdup("");
+ /* repoll immediately */
+ return(PS_REPOLL);
+ }
report(stderr,
GT_("SSL connection failed.\n"));
return(PS_AUTHFAIL);
}
+ did_stls = TRUE;
}
#endif /* SSL_ENABLE */
strcpy(shroud, password);
ok = gen_transact(sock, "LOGIN \"%s\" \"%s\"", remotename, password);
shroud[0] = '\0';
+#ifdef SSL_ENABLE
+ /* this is for servers which claim to support TLS, but actually
+ * don't! */
+ if (did_stls && ok == PS_SOCKET && !ctl->sslproto && !ctl->wehaveauthed)
+ {
+ ctl->sslproto = xstrdup("");
+ /* repoll immediately */
+ ok = PS_REPOLL;
+ }
+#endif
if (ok)
{
/* SASL cancellation of authentication */
#endif /* OPIE_ENABLE */
#ifdef SSL_ENABLE
flag has_ssl = FALSE;
+ flag did_stls = FALSE;
#endif /* SSL_ENABLE */
#ifdef SDPS_ENABLE
#ifdef SSL_ENABLE
if (has_ssl
&& !ctl->use_ssl
- && (ctl->server.authenticate == A_ANY))
+ && (!ctl->sslproto || !strcmp(ctl->sslproto,"tls1")))
{
char *realhost;
realhost = ctl->server.via ? ctl->server.via : ctl->server.pollname;
gen_transact(sock, "STLS");
- if (SSLOpen(sock,ctl->sslcert,ctl->sslkey,ctl->sslproto,ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
+
+ /* We use "tls1" instead of ctl->sslproto, as we want STLS,
+ * not other SSL protocols
+ */
+ if (SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
{
+ if (!ctl->sslproto && !ctl->wehaveauthed)
+ {
+ ctl->sslproto = xstrdup("");
+ /* repoll immediately */
+ return(PS_REPOLL);
+ }
report(stderr,
GT_("SSL connection failed.\n"));
return(PS_AUTHFAIL);
}
+ did_stls = TRUE;
}
#endif /* SSL_ENABLE */
strcpy(shroud, ctl->password);
ok = gen_transact(sock, "PASS %s", ctl->password);
shroud[0] = '\0';
+#ifdef SSL_ENABLE
+ /* this is for servers which claim to support TLS, but actually
+ * don't! */
+ if (did_stls && ok == PS_SOCKET && !ctl->sslproto && !ctl->wehaveauthed)
+ {
+ ctl->sslproto = xstrdup("");
+ /* repoll immediately */
+ ok = PS_REPOLL;
+ }
+#endif
break;
case P_APOP:
_ctx = SSL_CTX_new(SSLv3_client_method());
} else if(!strcmp("tls1",myproto)) {
_ctx = SSL_CTX_new(TLSv1_client_method());
+ } else if (!strcmp("ssl23",myproto)) {
+ myproto = NULL;
} else {
fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
myproto = NULL;