}
#endif /* HAVE_SOCKETPAIR */
-static int setsocktimeout(int sock, int which, int timeout) {
- struct timeval tv;
- int rc;
-
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- rc = setsockopt(sock, SOL_SOCKET, which, &tv, sizeof(tv));
- if (rc) {
- report(stderr, GT_("setsockopt(%d, SOL_SOCKET) failed: %s"), sock, strerror(errno));
- }
- return rc;
-}
-
-/** Configure socket options such as send/receive timeout at the socket
- * level, to avoid network-induced stalls.
- */
-int SockTimeout(int sock, int timeout)
-{
- int err = 0;
-
- if (setsocktimeout(sock, SO_RCVTIMEO, timeout)) err = 1;
- if (setsocktimeout(sock, SO_SNDTIMEO, timeout)) err = 1;
- return err;
+/** Set socket to SO_KEEPALIVE. \return 0 for success. */
+int SockKeepalive(int sock) {
+ int keepalive = 1;
+ return setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &keepalive, sizeof keepalive);
}
int UnixOpen(const char *path)
return -1;
}
- /* Socket opened saved. Usefull if connect timeout
- * because it can be closed.
- */
- mailserver_socket_temp = sock;
-
- if (connect(sock, (struct sockaddr *) &ad, sizeof(ad)) < 0)
+ /* Socket opened saved. Usefull if connect timeout
+ * because it can be closed.
+ */
+ mailserver_socket_temp = sock;
+
+ if (connect(sock, (struct sockaddr *) &ad, sizeof(ad)) < 0)
{
int olderr = errno;
fm_close(sock); /* don't use SockClose, no traffic yet */
errno = olderr;
sock = -1;
}
-
- /* No connect timeout, then no need to set mailserver_socket_temp */
- mailserver_socket_temp = -1;
+
+ /* No connect timeout, then no need to set mailserver_socket_temp */
+ mailserver_socket_temp = -1;
return sock;
}
continue;
}
+ SockKeepalive(i);
+
/* Save socket descriptor.
* Used to close the socket after connect timeout. */
mailserver_socket_temp = i;
if (outlevel >= O_VERBOSE) {
if (depth == 0 && SSLverbose)
- report(stderr, GT_("Server certificate:\n"));
+ report(stdout, GT_("Server certificate:\n"));
else {
if (_firstrun) {
_firstrun = 0;
/* Make sure a connection referring to an older context is not left */
_ssl_context[sock] = NULL;
if(myproto) {
- if(!strcasecmp("ssl3",myproto)) {
+ if(!strcasecmp("ssl2",myproto)) {
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+ _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
+#else
+ report(stderr, GT_("Your operating system does not support SSLv2.\n"));
+ return -1;
+#endif
+ } else if(!strcasecmp("ssl3",myproto)) {
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
} else if(!strcasecmp("tls1",myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
} else if (!strcasecmp("ssl23",myproto)) {
myproto = NULL;
} else {
- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
+ fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
myproto = NULL;
}
}
return(-1);
}
- SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
+
+ {
+ char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+ if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+ SSL_CTX_clear_options(_ctx[sock], SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ }
if (certck) {
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
return count;
}
#endif /* __CYGWIN__ */
-
-#ifdef MAIN
-/*
- * Use the chargen service to test input buffering directly.
- * You may have to uncomment the `chargen' service description in your
- * inetd.conf (and then SIGHUP inetd) for this to work. */
-main()
-{
- int sock = SockOpen("localhost", "chargen", NULL);
- char buf[80];
-
- while (SockRead(sock, buf, sizeof(buf)-1))
- SockWrite(1, buf, strlen(buf));
- SockClose(sock);
-}
-#endif /* MAIN */
-
-/* socket.c ends here */