* Keep syslog output at one line per message (this works if no errors occur).
* Track getaddrinfo() results to properly free them after timeouts,
reported by Uli Zappe. This MIGHT fix Debian Bug#294547 and Bug#377135.
+* Fetchmail in verbose mode now logs if it opportunistically upgrades a POP3
+ or IMAP connection to TLS security with STLS/STARTTLS.
# CHANGES:
* Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes
-- log/print warning if fetchmail uses TLS without configuration,
- to avoid users being surprised (see Debian Bug#294547).
- allow full user@domain mappings in multidrop matching
(is this perhaps a 6.4.0 issue?) see Andrew Longland-Meech's
multidrop problems on fetchmail-users
.TP
.B \-\-sslproto <name>
(Keyword: sslproto)
-Forces an SSL protocol. Possible values are '\fBssl2\fR',
+Forces an SSL or TLS protocol. Possible values are '\fBssl2\fR',
\&'\fBssl3\fR', '\fBssl23\fR', and '\fBtls1\fR'. Try this if the default
handshake does not work for your server. To defeat automatic TLSv1
negotiation when the server advertises STARTTLS or STLS, use \fB''\fR or
-\&'\fBssl23\fR'. The default is to try appropriate protocols depending
-on context.
+\&'\fBssl23\fR'. This option, even if the argument is the empty string,
+will also suppress the diagnostic 'SERVER: opportunistic upgrade to
+TLS.' message in verbose mode. The default is to try appropriate
+protocols depending on context.
.TP
.B \-\-sslcertck
(Keyword: sslcertck)
* not other SSL protocols
*/
if (ok == PS_SUCCESS &&
- SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
+ SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck,
+ ctl->sslcertpath,ctl->sslfingerprint,
+ realhost,ctl->server.pollname) == -1)
{
if (!ctl->sslproto && !ctl->wehaveauthed)
{
report(stderr,
GT_("SSL connection failed.\n"));
return PS_SOCKET;
- }
+ } else {
+ if (outlevel >= O_VERBOSE && !ctl->sslproto)
+ report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost);
+ }
did_stls = TRUE;
/*
ok = gen_transact(sock, "STLS");
/* We use "tls1" instead of ctl->sslproto, as we want STLS,
- * not other SSL protocols
- */
+ * not other SSL protocols */
if (ok == PS_SUCCESS &&
- SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1)
+ SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck,
+ ctl->sslcertpath,ctl->sslfingerprint,
+ realhost,ctl->server.pollname) == -1)
{
if (!ctl->sslproto && !ctl->wehaveauthed)
{
ctl->sslproto = xstrdup("");
- /* repoll immediately */
- return(PS_REPOLL);
+ /* repoll immediately without TLS */
+ return PS_REPOLL;
}
report(stderr,
GT_("SSL connection failed.\n"));
- return PS_SOCKET;
- }
+ return PS_SOCKET;
+ } else {
+ if (outlevel >= O_VERBOSE && !ctl->sslproto)
+ report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost);
+ }
did_stls = TRUE;
/*
projects / ~andy / fetchmail / commitdiff