(Keyword: sslproto)
.br
Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL2\fP' (not supported on all systems),
-\&'\fBSSL23\fP', (use of these two values is discouraged
-and should only be used as a last resort) \&'\fBSSL3\fP', and
+\&'\fBSSL23\fP' (note however that fetchmail, since v7.0.0, prohibits
+negotiation of SSLv2 -- it has been deprecated for 15 years and is
+insecure), \&'\fBSSL3\fP', and
\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
opportunistically try STARTTLS negotiation with TLS1. You can configure
SSL cannot be negotiated. Some services, such as POP3 and IMAP, have
different well known ports defined for the SSL encrypted services. The
encrypted ports will be selected automatically when SSL is enabled and
-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
-used to select the SSLv3 protocol (default if unset: v2 or v3). Also,
+no explicit port is specified. The \-\-sslproto 'SSL3' need no longer be
+used to avoid the SSLv2 protocol. Also,
the \-\-sslcertck command line or sslcertck run control file option
should be used to force strict certificate checking - see below.
.PP
P(GT_(" --sslcertpath path to trusted-CA ssl certificate directory\n"));
P(GT_(" --sslcommonname expect this CommonName from server (discouraged)\n"));
P(GT_(" --sslfingerprint fingerprint that must match that of the server's cert.\n"));
- P(GT_(" --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n"));
+ P(GT_(" --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n"));
#endif
P(GT_(" --plugin specify external command to open connection\n"));
P(GT_(" --plugout specify external command to open smtp connection\n"));
" --sslfingerprint verlangter Fingerabdruck des Zertifikats des "
"Servers.\n"
-#: options.c:652
-msgid " --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n"
-msgstr " --sslproto SSL-Protokoll erzwingen (SSL2/SSL3/TLS1)\n"
+#: options.c:654
+msgid " --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n"
+msgstr " --sslproto SSL-Protokoll erzwingen (SSL23/SSL3/TLS1)\n"
#: options.c:654
msgid " --plugin specify external command to open connection\n"
#: socket.c:826
#, c-format
-msgid "Invalid SSL protocol '%s' specified, using default (SSLv23).\n"
+msgid "Invalid SSL protocol '%s' specified, using default (SSL23).\n"
msgstr ""
-"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSLv23).\n"
+"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSL23).\n"
#: socket.c:919
msgid "Certificate/fingerprint verification was somehow skipped!\n"
/* Make sure a connection referring to an older context is not left */
_ssl_context[sock] = NULL;
if(myproto) {
- if(!strcasecmp("ssl2",myproto)) {
-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
- _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
-#else
- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
- return -1;
-#endif
- } else if(!strcasecmp("ssl3",myproto)) {
+ if(!strcasecmp("ssl3",myproto)) {
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
} else if(!strcasecmp("tls1",myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
} else if (!strcasecmp("ssl23",myproto)) {
myproto = NULL;
} else {
- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
+ fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
myproto = NULL;
}
}