From ddfa475a70126d818fee10221edb5b0112cea374 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 6 Mar 2013 15:48:39 +0100 Subject: [PATCH] Remove obsolete "OpenSSL default fingerprint is MD5" claim. The fetchmail manual page no longer claims that MD5 were the default OpenSSL hash format (for use with --sslfingerprint). Reported by Jakob Wilk, PARTIAL fix for Debian Bug#700266. --- NEWS | 3 +++ fetchmail.man | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 93cc4666..bd2cc79f 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,9 @@ fetchmail-6.3.25 (not yet released): missing trust anchors (root certificates). * OpenSSL decoded errors are now reported through report(), rather than dumped to stderr, so that they should show up in logfiles and/or syslog. +* The fetchmail manual page no longer claims that MD5 were the default OpenSSL + hash format (for use with --sslfingerprint). Reported by Jakob Wilk, + PARTIAL fix for Debian Bug#700266. # WORKAROUNDS * Older systems that provide the older RFC-2553 implementation of getaddrinfo, diff --git a/fetchmail.man b/fetchmail.man index 2356d95e..3b73a6aa 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -562,11 +562,11 @@ the upstream server can't be made to use proper certificates. .br Specify the fingerprint of the server key (an MD5 hash of the key) in hexadecimal notation with colons separating groups of two digits. The letter -hex digits must be in upper case. This is the default format OpenSSL uses, -and the one fetchmail uses to report the fingerprint when an SSL connection +hex digits must be in upper case. This is the format +that fetchmail uses to report the fingerprint when an SSL connection is established. When this is specified, fetchmail will compare the server key fingerprint with the given one, and the connection will fail if they do not -match regardless of the \fBsslcertck\fP setting. The connection will +match, regardless of the \fBsslcertck\fP setting. The connection will also fail if fetchmail cannot obtain an SSL certificate from the server. This can be used to prevent man-in-the-middle attacks, but the finger print from the server needs to be obtained or verified over a secure @@ -1208,7 +1208,7 @@ severely underdocumented, so failures may occur just because the programmers are not aware of OpenSSL's requirement of the day. For instance, since v6.3.16, fetchmail calls OpenSSL_add_all_algorithms(), which is necessary to support certificates -with SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the +using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the documentation and not at all obvious. Please do not hesitate to report subtle SSL failures. .PP -- 2.43.2