From aee0a1be4163b06ae8d32dff93d13a87668423b3 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 17 May 2011 18:00:56 +0200 Subject: [PATCH] Reinstate SSLv2 support on legacy_63 branch. Revert "Remove support for SSLv2 (fixes Debian Bug #622054)." This reverts commit c22a3afca46c83ee6d53a6ee58deb122f309c460. --- NEWS | 4 ---- fetchmail.man | 5 ++--- options.c | 2 +- po/de.po | 8 ++++---- socket.c | 8 +++++--- 5 files changed, 12 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index 9f1bbf98..bcf2537b 100644 --- a/NEWS +++ b/NEWS @@ -59,10 +59,6 @@ removed from a 6.4.0 or newer release.) fetchmail-6.3.20 (not yet released): # CHANGES -* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to - --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail - will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2. - To fix Debian Bug#622054. * fetchmail now always uses its own MD5 implementation. The library and header variants are too diverse, and we've been bitten before -- and configure complains noisily on Cyrus-SASL's RFC1321 md5.h. diff --git a/fetchmail.man b/fetchmail.man index 231e163d..152a74c0 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -474,9 +474,8 @@ Also see \-\-sslcert above. (Keyword: sslproto) .br Forces an SSL/TLS protocol. Possible values are \fB''\fP, -\&'\fBSSL23\fP' (note however that fetchmail, since v6.3.20, prohibits -negotiation of SSLv2 -- it has been deprecated for 15 years and is -insecure), \&'\fBSSL3\fP', and +\&'\fBSSL2\fP', '\fBSSL23\fP', (use of these two values is discouraged +and should only be used as a last resort) \&'\fBSSL3\fP', and \&'\fBTLS1\fP'. The default behaviour if this option is unset is: for connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure diff --git a/options.c b/options.c index aee616ba..d53044fc 100644 --- a/options.c +++ b/options.c @@ -651,7 +651,7 @@ int parsecmdline (int argc /** argument count */, P(GT_(" --sslcertpath path to trusted-CA ssl certificate directory\n")); P(GT_(" --sslcommonname expect this CommonName from server (discouraged)\n")); P(GT_(" --sslfingerprint fingerprint that must match that of the server's cert.\n")); - P(GT_(" --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n")); + P(GT_(" --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n")); #endif P(GT_(" --plugin specify external command to open connection\n")); P(GT_(" --plugout specify external command to open smtp connection\n")); diff --git a/po/de.po b/po/de.po index ff91818d..0b7e3476 100644 --- a/po/de.po +++ b/po/de.po @@ -2270,8 +2270,8 @@ msgstr "" "Servers.\n" #: options.c:654 -msgid " --sslproto force ssl protocol (SSL23/SSL3/TLS1)\n" -msgstr " --sslproto SSL-Protokoll erzwingen (SSL23/SSL3/TLS1)\n" +msgid " --sslproto force ssl protocol (SSL2/SSL3/TLS1)\n" +msgstr " --sslproto SSL-Protokoll erzwingen (SSL2/SSL3/TLS1)\n" #: options.c:656 msgid " --plugin specify external command to open connection\n" @@ -3175,9 +3175,9 @@ msgstr "Datei-Deskriptor außerhalb des Bereichs für SSL" #: socket.c:899 #, c-format -msgid "Invalid SSL protocol '%s' specified, using default (SSL23).\n" +msgid "Invalid SSL protocol '%s' specified, using default (SSLv23).\n" msgstr "" -"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSL23).\n" +"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSLv23).\n" #: socket.c:992 msgid "Certificate/fingerprint verification was somehow skipped!\n" diff --git a/socket.c b/socket.c index 26e37de8..f513d9ff 100644 --- a/socket.c +++ b/socket.c @@ -899,14 +899,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck /* Make sure a connection referring to an older context is not left */ _ssl_context[sock] = NULL; if(myproto) { - if(!strcasecmp("ssl3",myproto)) { + if(!strcasecmp("ssl2",myproto)) { + _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); + } else if(!strcasecmp("ssl3",myproto)) { _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if (!strcasecmp("ssl23",myproto)) { myproto = NULL; } else { - fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto); + fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); myproto = NULL; } } @@ -918,7 +920,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck return(-1); } - SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2); + SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL); if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); -- 2.43.2