From ad7f24b60fa4ecfc037c0b9a970b99624c6e65fe Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 6 Sep 2012 01:59:15 +0200 Subject: [PATCH] Revert "Reinstate SSLv2 support on legacy_63 branch." This reverts commit aee0a1be4163b06ae8d32dff93d13a87668423b3. It was inadvertently merged from 6.3.20-6.3.21 changes. Conflicts: NEWS fetchmail.man po/de.po socket.c --- fetchmail.man | 10 +++++----- options.c | 2 +- po/de.po | 10 +++++----- socket.c | 11 ++--------- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/fetchmail.man b/fetchmail.man index babc57ab..45f2cb98 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -449,9 +449,9 @@ Also see \-\-sslcert above. (Keyword: sslproto) .br Forces an SSL/TLS protocol. Possible values are \fB''\fP, -\&'\fBSSL2\fP' (not supported on all systems), -\&'\fBSSL23\fP', (use of these two values is discouraged -and should only be used as a last resort) \&'\fBSSL3\fP', and +\&'\fBSSL23\fP' (note however that fetchmail, since v7.0.0, prohibits +negotiation of SSLv2 -- it has been deprecated for 15 years and is +insecure), \&'\fBSSL3\fP', and \&'\fBTLS1\fP'. The default behaviour if this option is unset is: for connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure @@ -1189,8 +1189,8 @@ connection after negotiating an SSL session, and the connection fails if SSL cannot be negotiated. Some services, such as POP3 and IMAP, have different well known ports defined for the SSL encrypted services. The encrypted ports will be selected automatically when SSL is enabled and -no explicit port is specified. The \-\-sslproto 'SSL3' option should be -used to select the SSLv3 protocol (default if unset: v2 or v3). Also, +no explicit port is specified. The \-\-sslproto 'SSL3' need no longer be +used to avoid the SSLv2 protocol. Also, the \-\-sslcertck command line or sslcertck run control file option should be used to force strict certificate checking - see below. .PP diff --git a/options.c b/options.c index cee5fae4..5f1739c4 100644 --- a/options.c +++ b/options.c @@ -649,7 +649,7 @@ int parsecmdline (int argc /** argument count */, P(GT_(" --sslcertpath path to trusted-CA ssl certificate directory\n")); P(GT_(" --sslcommonname expect this CommonName from server (discouraged)\n")); P(GT_(" --sslfingerprint fingerprint that must match that of the server's cert.\n")); - P(GT_(" --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n")); + P(GT_(" --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n")); #endif P(GT_(" --plugin specify external command to open connection\n")); P(GT_(" --plugout specify external command to open smtp connection\n")); diff --git a/po/de.po b/po/de.po index a3175374..4e26e091 100644 --- a/po/de.po +++ b/po/de.po @@ -2237,9 +2237,9 @@ msgstr "" " --sslfingerprint verlangter Fingerabdruck des Zertifikats des " "Servers.\n" -#: options.c:652 -msgid " --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n" -msgstr " --sslproto SSL-Protokoll erzwingen (SSL2/SSL3/TLS1)\n" +#: options.c:654 +msgid " --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n" +msgstr " --sslproto SSL-Protokoll erzwingen (SSL23/SSL3/TLS1)\n" #: options.c:654 msgid " --plugin specify external command to open connection\n" @@ -3167,9 +3167,9 @@ msgstr "Ihr Betriebssystem unterstützt SSLv2 nicht.\n" #: socket.c:826 #, c-format -msgid "Invalid SSL protocol '%s' specified, using default (SSLv23).\n" +msgid "Invalid SSL protocol '%s' specified, using default (SSL23).\n" msgstr "" -"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSLv23).\n" +"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSL23).\n" #: socket.c:919 msgid "Certificate/fingerprint verification was somehow skipped!\n" diff --git a/socket.c b/socket.c index 1655bf3c..e8ed5840 100644 --- a/socket.c +++ b/socket.c @@ -808,21 +808,14 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck /* Make sure a connection referring to an older context is not left */ _ssl_context[sock] = NULL; if(myproto) { - if(!strcasecmp("ssl2",myproto)) { -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 - _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); -#else - report(stderr, GT_("Your operating system does not support SSLv2.\n")); - return -1; -#endif - } else if(!strcasecmp("ssl3",myproto)) { + if(!strcasecmp("ssl3",myproto)) { _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if (!strcasecmp("ssl23",myproto)) { myproto = NULL; } else { - fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); + fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto); myproto = NULL; } } -- 2.43.2