diff options
| author |   Zang Ruochen <zangrc.fnst@cn.fujitsu.com> | 2019-10-09 15:25:44 +0800 |
|---|---|---|
| committer |   Khem Raj <raj.khem@gmail.com> | 2019-10-09 00:35:31 -0700 |
| commit | 10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc (patch) | |
| tree | 838fcfe8d75688b13f60a86061bc13c8a866ac2f | |
| parent | a705a7f19761a2fded62a86f66c4d010abcdcc65 (diff) | |
| download | meta-openembedded-contrib-10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc.tar.gz | |
fetchmail: upgrade 6.3.26 -> 6.4.1
-License-Update: Copyright year updated to 2019.
-fetchmail/02_remove_SSLv3.patch
Removed since this is included in 6.4.1.
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
| -rw-r--r-- | meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch | 1576 | ||||
| -rw-r--r-- | meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb (renamed from meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb) | 7 |
2 files changed, 3 insertions, 1580 deletions
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch deleted file mode 100644 index 95cfa2f4a1..0000000000 --- a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch +++ /dev/null @@ -1,1576 +0,0 @@ -Description: <short summary of the patch> - TODO: Put a short summary on the line above and replace this paragraph - with a longer explanation of this change. Complete the meta-information - with other relevant fields (see below for details). To make it easier, the - information below has been extracted from the changelog. Adjust it or drop - it. - . - fetchmail (6.3.26-2) unstable; urgency=low - . - * New maintainer (closes: #800750). - * Backport upstream fix for SSLv3 removal (closes: #804604) and do not - recommend SSLv3 (closes: #801178). - * Remove quilt and its usage. - * Add dh-python to build depends. - * Update upstream URLs. - * Update watch file. - * Update Standards-Version to 3.9.6 . -Author: Laszlo Boszormenyi (GCS) <gcs@debian.org> -Bug-Debian: https://bugs.debian.org/800750 -Bug-Debian: https://bugs.debian.org/801178 -Bug-Debian: https://bugs.debian.org/804604 - ---- -The information above should follow the Patch Tagging Guidelines, please -checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here -are templates for supplementary fields that you might want to add: - -Origin: <vendor|upstream|other>, <url of original patch> -Bug: <url in upstream bugtracker> -Bug-Debian: https://bugs.debian.org/<bugnumber> -Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> -Forwarded: <no|not-needed|url proving that it has been forwarded> -Reviewed-By: <name and email of someone who approved the patch> -Last-Update: <YYYY-MM-DD> - ---- fetchmail-6.3.26.orig/Makefile.am -+++ fetchmail-6.3.26/Makefile.am -@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 - servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ - smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ - libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ -- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ -+ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ - xmalloc.h sdump.h sdump.c x509_name_match.c \ - fm_strl.h md5c.c - if NTLM_ENABLE ---- fetchmail-6.3.26.orig/Makefile.in -+++ fetchmail-6.3.26/Makefile.in -@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas - rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ - smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ - libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ -- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ -+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ - x509_name_match.c fm_strl.h md5c.c ntlmsubr.c - @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) - am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ - rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ - servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ - smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ -- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ -+ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ - sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ - $(am__objects_1) - libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) -@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc - servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ - smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ - libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ -- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ -+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ - x509_name_match.c fm_strl.h md5c.c $(am__append_1) - libfm_a_LIBADD = $(EXTRAOBJ) - libfm_a_DEPENDENCIES = $(EXTRAOBJ) ---- fetchmail-6.3.26.orig/NEWS -+++ fetchmail-6.3.26/NEWS -@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.) - * The --bsmtp - mode of operation may be removed in a future release. - * Given that OpenSSL is severely underdocumented, and needs license exceptions, - fetchmail may switch to a different SSL library. --* SSLv2 support will be removed from a future fetchmail release. It has been -- obsolete for more than a decade. - - -------------------------------------------------------------------------------- - ---- fetchmail-6.3.26.orig/README.SSL -+++ fetchmail-6.3.26/README.SSL -@@ -11,36 +11,45 @@ specific to fetchmail. - In case of troubles, mail the README.SSL-SERVER file to your ISP and - have them check their server configuration against it. - --Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether --a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is --totally SSL-wrapped on a separate port. For compatibility reasons, this cannot --be fixed in a bugfix release. -+Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a -+service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) -+or is totally SSL-wrapped on a separate port. For compatibility -+reasons, this cannot be fixed in a bugfix or minor release. -+ -+Also, fetchmail 6.4.0 and newer releases changed some of the semantics -+as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. -+If your server does not support this, you may have to specify --sslproto -+ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 -+and v3 are broken. - -- -- Matthias Andree, 2009-05-09 -+ -- Matthias Andree, 2015-01-16 - - - Quickstart - ---------- - -+Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get -+TLSv1.2 support. -+ - For use of SSL or TLS with in-band negotiation on the regular service's port, - i. e. with STLS or STARTTLS, use these command line options - -- --sslproto tls1 --sslcertck -+ --sslproto auto --sslcertck - - or these options in the rcfile (after the respective "user"... options) - -- sslproto tls1 sslcertck -+ sslproto auto sslcertck - - - For use of SSL or TLS on a separate port, if the whole TCP connection is --SSL-encrypted from the very beginning, use these command line options (in the --rcfile, omit all leading "--"): -+SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these -+command line options (in the rcfile, omit all leading "--"): - -- --ssl --sslproto ssl3 --sslcertck -+ --ssl --sslproto auto --sslcertck - - or these options in the rcfile (after the respective "user"... options) - -- ssl sslproto ssl3 sslcertck -+ ssl sslproto auto sslcertck - - - Background and use (long version :-)) ---- fetchmail-6.3.26.orig/config.h.in -+++ fetchmail-6.3.26/config.h.in -@@ -49,9 +49,9 @@ - don't. */ - #undef HAVE_DECL_H_ERRNO - --/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0 -+/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 - if you don't. */ --#undef HAVE_DECL_SSLV2_CLIENT_METHOD -+#undef HAVE_DECL_SSLV3_CLIENT_METHOD - - /* Define to 1 if you have the declaration of `strerror', and to 0 if you - don't. */ ---- fetchmail-6.3.26.orig/configure -+++ fetchmail-6.3.26/configure -@@ -1,13 +1,11 @@ - #! /bin/sh - # Guess values for system-dependent variables and create Makefiles. --# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26. -+# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26. - # - # Report bugs to <fetchmail-users@lists.berlios.de>. - # - # --# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, --# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software --# Foundation, Inc. -+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. - # - # - # This configure script is free software; the Free Software Foundation -@@ -136,6 +134,31 @@ export LANGUAGE - # CDPATH. - (unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -+# Use a proper internal environment variable to ensure we don't fall -+ # into an infinite loop, continuously re-executing ourselves. -+ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then -+ _as_can_reexec=no; export _as_can_reexec; -+ # We cannot yet assume a decent shell, so we have to provide a -+# neutralization value for shells without unset; and this also -+# works around shells that cannot unset nonexistent variables. -+# Preserve -v and -x to the replacement shell. -+BASH_ENV=/dev/null -+ENV=/dev/null -+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -+case $- in # (((( -+ *v*x* | *x*v* ) as_opts=-vx ;; -+ *v* ) as_opts=-v ;; -+ *x* ) as_opts=-x ;; -+ * ) as_opts= ;; -+esac -+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -+# Admittedly, this is quite paranoid, since all the known shells bail -+# out after a failed `exec'. -+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -+as_fn_exit 255 -+ fi -+ # We don't want this to propagate to other subprocesses. -+ { _as_can_reexec=; unset _as_can_reexec;} - if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : - emulate sh -@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test - else - exitcode=1; echo positional parameters were not saved. - fi --test x\$exitcode = x0 || exit 1" -+test x\$exitcode = x0 || exit 1 -+test -x / || exit 1" - as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO - as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO - eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && -@@ -214,21 +238,25 @@ IFS=$as_save_IFS - - - if test "x$CONFIG_SHELL" != x; then : -- # We cannot yet assume a decent shell, so we have to provide a -- # neutralization value for shells without unset; and this also -- # works around shells that cannot unset nonexistent variables. -- # Preserve -v and -x to the replacement shell. -- BASH_ENV=/dev/null -- ENV=/dev/null -- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -- export CONFIG_SHELL -- case $- in # (((( -- *v*x* | *x*v* ) as_opts=-vx ;; -- *v* ) as_opts=-v ;; -- *x* ) as_opts=-x ;; -- * ) as_opts= ;; -- esac -- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} -+ export CONFIG_SHELL -+ # We cannot yet assume a decent shell, so we have to provide a -+# neutralization value for shells without unset; and this also -+# works around shells that cannot unset nonexistent variables. -+# Preserve -v and -x to the replacement shell. -+BASH_ENV=/dev/null -+ENV=/dev/null -+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -+case $- in # (((( -+ *v*x* | *x*v* ) as_opts=-vx ;; -+ *v* ) as_opts=-v ;; -+ *x* ) as_opts=-x ;; -+ * ) as_opts= ;; -+esac -+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -+# Admittedly, this is quite paranoid, since all the known shells bail -+# out after a failed `exec'. -+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -+exit 255 - fi - - if test x$as_have_required = xno; then : -@@ -331,6 +359,14 @@ $as_echo X"$as_dir" | - - - } # as_fn_mkdir_p -+ -+# as_fn_executable_p FILE -+# ----------------------- -+# Test if FILE is an executable regular file. -+as_fn_executable_p () -+{ -+ test -f "$1" && test -x "$1" -+} # as_fn_executable_p - # as_fn_append VAR VALUE - # ---------------------- - # Append the text in VALUE to the end of the definition contained in VAR. Take -@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits - chmod +x "$as_me.lineno" || - { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - -+ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have -+ # already done that, so ensure we don't try to do so again and fall -+ # in an infinite loop. This has already happened in practice. -+ _as_can_reexec=no; export _as_can_reexec - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). -@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -+ # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - fi - else -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - fi - rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file - rmdir conf$$.dir 2>/dev/null -@@ -507,28 +547,8 @@ else - as_mkdir_p=false - fi - --if test -x / >/dev/null 2>&1; then -- as_test_x='test -x' --else -- if ls -dL / >/dev/null 2>&1; then -- as_ls_L_option=L -- else -- as_ls_L_option= -- fi -- as_test_x=' -- eval sh -c '\'' -- if test -d "$1"; then -- test -d "$1/."; -- else -- case $1 in #( -- -*)set "./$1";; -- esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( -- ???[sx]*):;;*)false;;esac;fi -- '\'' sh -- ' --fi --as_executable_p=$as_test_x -+as_test_x='test -x' -+as_executable_p=as_fn_executable_p - - # Sed expression to map a string onto a valid CPP name. - as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" -@@ -742,6 +762,7 @@ infodir - docdir - oldincludedir - includedir -+runstatedir - localstatedir - sharedstatedir - sysconfdir -@@ -841,6 +862,7 @@ datadir='${datarootdir}' - sysconfdir='${prefix}/etc' - sharedstatedir='${prefix}/com' - localstatedir='${prefix}/var' -+runstatedir='${localstatedir}/run' - includedir='${prefix}/include' - oldincludedir='/usr/include' - docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' -@@ -1093,6 +1115,15 @@ do - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - -+ -runstatedir | --runstatedir | --runstatedi | --runstated \ -+ | --runstate | --runstat | --runsta | --runst | --runs \ -+ | --run | --ru | --r) -+ ac_prev=runstatedir ;; -+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ -+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ -+ | --run=* | --ru=* | --r=*) -+ runstatedir=$ac_optarg ;; -+ - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ -@@ -1230,7 +1261,7 @@ fi - for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ -- libdir localedir mandir -+ libdir localedir mandir runstatedir - do - eval ac_val=\$$ac_var - # Remove trailing slashes. -@@ -1258,8 +1289,6 @@ target=$target_alias - if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe -- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. -- If a cross compiler is detected then cross compile mode will be used" >&2 - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -@@ -1385,6 +1414,7 @@ Fine tuning of the installation director - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] -+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] -@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat - if $ac_init_version; then - cat <<\_ACEOF - fetchmail configure 6.3.26 --generated by GNU Autoconf 2.68 -+generated by GNU Autoconf 2.69 - --Copyright (C) 2010 Free Software Foundation, Inc. -+Copyright (C) 2012 Free Software Foundation, Inc. - This configure script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it. - _ACEOF -@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5 - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || -- $as_test_x conftest$ac_exeext -+ test -x conftest$ac_exeext - }; then : - ac_retval=0 - else -@@ -2030,7 +2060,8 @@ int - main () - { - static int test_array [1 - 2 * !(($2) >= 0)]; --test_array [0] = 0 -+test_array [0] = 0; -+return test_array [0]; - - ; - return 0; -@@ -2046,7 +2077,8 @@ int - main () - { - static int test_array [1 - 2 * !(($2) <= $ac_mid)]; --test_array [0] = 0 -+test_array [0] = 0; -+return test_array [0]; - - ; - return 0; -@@ -2072,7 +2104,8 @@ int - main () - { - static int test_array [1 - 2 * !(($2) < 0)]; --test_array [0] = 0 -+test_array [0] = 0; -+return test_array [0]; - - ; - return 0; -@@ -2088,7 +2121,8 @@ int - main () - { - static int test_array [1 - 2 * !(($2) >= $ac_mid)]; --test_array [0] = 0 -+test_array [0] = 0; -+return test_array [0]; - - ; - return 0; -@@ -2122,7 +2156,8 @@ int - main () - { - static int test_array [1 - 2 * !(($2) <= $ac_mid)]; --test_array [0] = 0 -+test_array [0] = 0; -+return test_array [0]; - - ; - return 0; -@@ -2195,7 +2230,7 @@ This file contains any messages produced - running configure, to aid debugging if configure makes a mistake. - - It was created by fetchmail $as_me 6.3.26, which was --generated by GNU Autoconf 2.68. Invocation command line was -+generated by GNU Autoconf 2.69. Invocation command line was - - $ $0 $@ - -@@ -2689,7 +2724,7 @@ case $as_dir/ in #(( - # by default. - for ac_prog in ginstall scoinst install; do - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then - if test $ac_prog = install && - grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. -@@ -2858,7 +2893,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_STRIP="${ac_tool_prefix}strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -2898,7 +2933,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_STRIP="strip" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -2949,7 +2984,7 @@ do - test -z "$as_dir" && as_dir=. - for ac_prog in mkdir gmkdir; do - for ac_exec_ext in '' $ac_executable_extensions; do -- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue -+ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue - case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( - 'mkdir (GNU coreutils) '* | \ - 'mkdir (coreutils) '* | \ -@@ -3002,7 +3037,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AWK="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3295,7 +3330,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3466,7 +3501,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AWK="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3512,7 +3547,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3552,7 +3587,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3605,7 +3640,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3646,7 +3681,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue -@@ -3704,7 +3739,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -3748,7 +3783,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ - /* end confdefs.h. */ - #include <stdarg.h> - #include <stdio.h> --#include <sys/types.h> --#include <sys/stat.h> -+struct stat; - /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ - struct buf { int x; }; - FILE * (*rcsopen) (struct buf *, struct stat *, int); -@@ -4751,7 +4785,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -4791,7 +4825,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -4859,7 +4893,7 @@ do - for ac_prog in grep ggrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" -- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue -+ as_fn_executable_p "$ac_path_GREP" || continue - # Check for GNU ac_path_GREP and select it if it is found. - # Check for GNU $ac_path_GREP - case `"$ac_path_GREP" --version 2>&1` in -@@ -4925,7 +4959,7 @@ do - for ac_prog in egrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" -- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue -+ as_fn_executable_p "$ac_path_EGREP" || continue - # Check for GNU ac_path_EGREP and select it if it is found. - # Check for GNU $ac_path_EGREP - case `"$ac_path_EGREP" --version 2>&1` in -@@ -5132,8 +5166,8 @@ else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ - --# define __EXTENSIONS__ 1 -- $ac_includes_default -+# define __EXTENSIONS__ 1 -+ $ac_includes_default - int - main () - { -@@ -5513,11 +5547,11 @@ else - int - main () - { --/* FIXME: Include the comments suggested by Paul. */ -+ - #ifndef __cplusplus -- /* Ultrix mips cc rejects this. */ -+ /* Ultrix mips cc rejects this sort of thing. */ - typedef int charset[2]; -- const charset cs; -+ const charset cs = { 0, 0 }; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *pcpcc; - char **ppc; -@@ -5534,8 +5568,9 @@ main () - ++pcpcc; - ppc = (char**) pcpcc; - pcpcc = (char const *const *) ppc; -- { /* SCO 3.2v4 cc rejects this. */ -- char *t; -+ { /* SCO 3.2v4 cc rejects this sort of thing. */ -+ char tx; -+ char *t = &tx; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; -@@ -5551,10 +5586,10 @@ main () - iptr p = 0; - ++p; - } -- { /* AIX XL C 1.02.0.0 rejects this saying -+ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ -- struct s { int j; const int *ap[3]; }; -- struct s *b; b->j = 5; -+ struct s { int j; const int *ap[3]; } bx; -+ struct s *b = &bx; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; -@@ -5600,7 +5635,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_LEX="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -5632,7 +5667,8 @@ a { ECHO; } - b { REJECT; } - c { yymore (); } - d { yyless (1); } --e { yyless (input () != 0); } -+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ -+ yyless ((input () != 0)); } - f { unput (yytext[0]); } - . { BEGIN INITIAL; } - %% -@@ -5792,7 +5828,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_YACC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -6044,7 +6080,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -8548,7 +8584,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -8590,7 +8626,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -8632,7 +8668,7 @@ do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do -- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 -@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r - fi - - case "$LIBS" in *-lssl*) -- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h> -+ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h> - " --if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then : -+if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : - ac_have_decl=1 - else - ac_have_decl=0 - fi - - cat >>confdefs.h <<_ACEOF --#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl -+#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl - _ACEOF - - ;; -@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. -- # In both cases, we have to default to `cp -p'. -+ # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - fi - else -- as_ln_s='cp -p' -+ as_ln_s='cp -pR' - fi - rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file - rmdir conf$$.dir 2>/dev/null -@@ -11403,28 +11439,16 @@ else - as_mkdir_p=false - fi - --if test -x / >/dev/null 2>&1; then -- as_test_x='test -x' --else -- if ls -dL / >/dev/null 2>&1; then -- as_ls_L_option=L -- else -- as_ls_L_option= -- fi -- as_test_x=' -- eval sh -c '\'' -- if test -d "$1"; then -- test -d "$1/."; -- else -- case $1 in #( -- -*)set "./$1";; -- esac; -- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( -- ???[sx]*):;;*)false;;esac;fi -- '\'' sh -- ' --fi --as_executable_p=$as_test_x -+ -+# as_fn_executable_p FILE -+# ----------------------- -+# Test if FILE is an executable regular file. -+as_fn_executable_p () -+{ -+ test -f "$1" && test -x "$1" -+} # as_fn_executable_p -+as_test_x='test -x' -+as_executable_p=as_fn_executable_p - - # Sed expression to map a string onto a valid CPP name. - as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" -@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri - # values after options handling. - ac_log=" - This file was extended by fetchmail $as_me 6.3.26, which was --generated by GNU Autoconf 2.68. Invocation command line was -+generated by GNU Autoconf 2.69. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS -@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ - ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" - ac_cs_version="\\ - fetchmail config.status 6.3.26 --configured by $0, generated by GNU Autoconf 2.68, -+configured by $0, generated by GNU Autoconf 2.69, - with options \\"\$ac_cs_config\\" - --Copyright (C) 2010 Free Software Foundation, Inc. -+Copyright (C) 2012 Free Software Foundation, Inc. - This config.status script is free software; the Free Software Foundation - gives unlimited permission to copy, distribute and modify it." - -@@ -11606,7 +11630,7 @@ fi - _ACEOF - cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - if \$ac_cs_recheck; then -- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion -+ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion - shift - \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 - CONFIG_SHELL='$SHELL' ---- fetchmail-6.3.26.orig/configure.ac -+++ fetchmail-6.3.26/configure.ac -@@ -802,7 +802,7 @@ else - fi - - case "$LIBS" in *-lssl*) -- AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>]) -+ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>]) - ;; - esac - ---- fetchmail-6.3.26.orig/fetchmail-FAQ.html -+++ fetchmail-6.3.26/fetchmail-FAQ.html -@@ -667,8 +667,8 @@ because there is not currently a standar - also uses this method, so the two will interoperate happily. They - better, because this is how Craig gets his mail ;-)</p> - --<p>Finally, you can use <a href="#K5">SSL</a> for complete --end-to-end encryption if you have an SSL-enabled mailserver.</p> -+<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete -+end-to-end encryption if you have a TLS-enabled mailserver.</p> - - <h2><a id="G11" name="G11">G11. Is any special configuration needed - to use a dynamic IP address?</a></h2> -@@ -2120,7 +2120,7 @@ SSL?</a></h2> - - <p>You'll need to have the <a - href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they --should at least be version 0.9.7. -+should at least be version 0.9.8, with 1.0.1 preferred. - Configure with --with-ssl. If you have the OpenSSL libraries - installed in commonly-used default locations, this will - suffice. If you have them installed in a non-default location, -@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p> - <p>Fetchmail binaries built this way support <code>ssl</code>, - <code>sslkey</code>, and <code>sslcert</code> options that control - SSL encryption, and will automatically use <code>tls</code> if the --server offers it. You will need to have an SSL-enabled mailserver to -+server offers it. You will need to have an SSL/TLS-enabled mailserver to - use these options. See the manual page for details and some words - of care on the limited security provided.</p> - -@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s - protocol imap username MYUSERNAME password MYPASSWORD - </pre> - --<p>You should note that SSL is only secure against a "man-in-the-middle" --attack if the client is able to verify that the peer's public key is the --correct one, and has not been substituted by an attacker. fetchmail can do --this in one of two ways: by verifying the SSL certificate, or by checking --the fingerprint of the peer's public key.</p> -+<p>You should note that SSL or TLS are only secure against a -+"man-in-the-middle" attack if the client is able to verify that the -+peer's public key is the correct one, and has not been substituted by an -+attacker. fetchmail can do this in one of two ways: by verifying the SSL -+certificate, or by checking the fingerprint of the peer's public -+key.</p> - --<p>There are three parts to SSL certificate verification: checking that the -+<p>There are three parts to TLS certificate verification: checking that the - domain name in the certificate matches the hostname you asked to connect to; - checking that the certificate expiry date has not passed; and checking that - the certificate has been signed by a known Certificate Authority (CA). This -@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati - time. This can however cause problems if the upstream didn't configure - his certificates properly.</p> - --<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS) --negotiation, add this option:</p> -+<p>In order to prevent fetchmail 6.4.0 and newer versions from trying -+STLS or STARTTLS negotiation, add this option:</p> -+<pre>sslproto ''</pre> -+ -+<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS) -+negotiation where the above does not work, try this option:</p> - - <pre>sslproto ssl23</pre> - -@@ -2876,15 +2881,22 @@ need to say something like '<code>envelo - - <pre> - Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92]) -- by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088 -- for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700 -+ by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088 -+ for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700 - </pre> - --<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your --mailserver before accepting 'ksturgeon@fbceg.org' as an envelope -+<p>it checks to see if 'iserv.example.net' is a DNS alias of your -+mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope - address. This check might fail if your DNS were misconfigured, or --if you were using 'no dns' and had failed to declare iserv.ttns.net --as an alias of your server.</p> -+if you were using 'no dns' and had failed to declare iserv.example.net -+as an alias of your server. The typical hint is logging similar to: -+<code>line rejected, iserv.example.net is not an alias of the mailserver</code>, -+if you use fetchmail in verbose mode.</p> -+ -+<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka -+ <em>iserv.example.net</em></code> statements in the rcfile. Replace -+<em>iserv.example.net</em> by the name you find in <strong>your</strong> -+'by' part of the 'Received:' line.</p> - - <h2><a id="M8" name="M8">M8. Users are getting multiple copies of - messages.</a></h2> -@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p> - <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my - messages.</a></h2> - -+<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p> -+ - <p>Due to the problem described in <a href="#S2">S2</a>, the - IMAP support in fetchmail cannot follow the IMAP protocol 100 %. - Most of the time it doesn't matter, but if you combine it with an -@@ -3279,8 +3293,6 @@ it at the end of the message it forwards - on, you'll get a message about actual != expected.</li> - </ol> - --<p>There is no fix for this.</p> -- - <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header - with Domino IMAP</a></h2> - ---- fetchmail-6.3.26.orig/fetchmail.c -+++ fetchmail-6.3.26/fetchmail.c -@@ -54,6 +54,10 @@ - #define ENETUNREACH 128 /* Interactive doesn't know this */ - #endif /* ENETUNREACH */ - -+#ifdef SSL_ENABLE -+#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ -+#endif -+ - /* prototypes for internal functions */ - static int load_params(int, char **, int); - static void dump_params (struct runctl *runp, struct query *, flag implicit); -@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) { - "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n" - " Robert M. Funk, Graham Wilson\n" - "Copyright (C) 2005 - 2012 Sunil Shetye\n" -- "Copyright (C) 2005 - 2013 Matthias Andree\n" -+ "Copyright (C) 2005 - 2015 Matthias Andree\n" - )); - fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n" - "are welcome to redistribute it under certain conditions. For details,\n" -@@ -262,6 +266,9 @@ int main(int argc, char **argv) - #endif /* ODMR_ENABLE */ - #ifdef SSL_ENABLE - "+SSL" -+#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) -+ "-SSLv3" -+#endif - #endif - #ifdef OPIE_ENABLE - "+OPIE" ---- fetchmail-6.3.26.orig/fetchmail.h -+++ fetchmail-6.3.26/fetchmail.h -@@ -771,9 +771,9 @@ int servport(const char *service); - int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); - void fm_freeaddrinfo(struct addrinfo *ai); - --/* prototypes from tls.c */ --int maybe_tls(struct query *ctl); --int must_tls(struct query *ctl); -+/* prototypes from starttls.c */ -+int maybe_starttls(struct query *ctl); -+int must_starttls(struct query *ctl); - - /* prototype from rfc822valid.c */ - int rfc822_valid_msgid(const unsigned char *); ---- fetchmail-6.3.26.orig/fetchmail.man -+++ fetchmail-6.3.26/fetchmail.man -@@ -412,23 +412,22 @@ from. The folder information is written - .B \-\-ssl - (Keyword: ssl) - .br --Causes the connection to the mail server to be encrypted --via SSL. Connect to the server using the specified base protocol over a --connection secured by SSL. This option defeats opportunistic starttls --negotiation. It is highly recommended to use \-\-sslproto 'SSL3' --\-\-sslcertck to validate the certificates presented by the server and --defeat the obsolete SSLv2 negotiation. More information is available in --the \fIREADME.SSL\fP file that ships with fetchmail. --.IP --Note that fetchmail may still try to negotiate SSL through starttls even --if this option is omitted. You can use the \-\-sslproto option to defeat --this behavior or tell fetchmail to negotiate a particular SSL protocol. -+Causes the connection to the mail server to be encrypted via SSL, by -+negotiating SSL directly after connecting (SSL-wrapped mode). It is -+highly recommended to use \-\-sslcertck to validate the certificates -+presented by the server. Please see the description of \-\-sslproto -+below! More information is available in the \fIREADME.SSL\fP file that -+ships with fetchmail. -+.IP -+Note that even if this option is omitted, fetchmail may still negotiate -+SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You -+can use the \-\-sslproto option to modify that behavior. - .IP - If no port is specified, the connection is attempted to the well known - port of the SSL version of the base protocol. This is generally a - different port than the port used by the base protocol. For IMAP, this - is port 143 for the clear protocol and port 993 for the SSL secured --protocol, for POP3, it is port 110 for the clear text and port 995 for -+protocol; for POP3, it is port 110 for the clear text and port 995 for - the encrypted variant. - .IP - If your system lacks the corresponding entries from /etc/services, see -@@ -470,39 +469,73 @@ cause some complications in daemon mode. - .IP - Also see \-\-sslcert above. - .TP --.B \-\-sslproto <name> --(Keyword: sslproto) -+.B \-\-sslproto <value> -+(Keyword: sslproto, NOTE: semantic changes since v6.4.0) - .br --Forces an SSL/TLS protocol. Possible values are \fB''\fP, --\&'\fBSSL2\fP' (not supported on all systems), --\&'\fBSSL23\fP', (use of these two values is discouraged --and should only be used as a last resort) \&'\fBSSL3\fP', and --\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for --connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will --opportunistically try STARTTLS negotiation with TLS1. You can configure --this option explicitly if the default handshake (TLS1 if \-\-ssl is not --used) does not work for your server. --.IP --Use this option with '\fBTLS1\fP' value to enforce a STARTTLS --connection. In this mode, it is highly recommended to also use --\-\-sslcertck (see below). Note that this will then cause fetchmail --v6.3.19 to force STARTTLS negotiation even if it is not advertised by --the server. --.IP --To defeat opportunistic TLSv1 negotiation when the server advertises --STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This --option, even if the argument is the empty string, will also suppress the --diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose --mode. The default is to try appropriate protocols depending on context. -+This option has a dual use, out of historic fetchmail behaviour. It -+controls both the SSL/TLS protocol version and, if \-\-ssl is not -+specified, the STARTTLS behaviour (upgrading the protocol to an SSL or -+TLS connection in-band). Some other options may however make TLS -+mandatory. -+.PP -+Only if this option and \-\-ssl are both missing for a poll, there will -+be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to -+upgrade to TLSv1 or newer. -+.PP -+Recognized values for \-\-sslproto are given below. You should normally -+chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of -+the options ending in a plus (\fB+\fP) character. Note that depending -+on OpenSSL library version and configuration, some options cause -+run-time errors because the requested SSL or TLS versions are not -+supported by the particular installed OpenSSL library. -+.RS -+.IP "\fB''\fP, the empty string" -+Disable STARTTLS. If \-\-ssl is given for the same server, log an error -+and pretend that '\fBauto\fP' had been used instead. -+.IP '\fBauto\fP' -+(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. -+(fetchmail 6.3.26 and older have auto-negotiated all protocols that -+their OpenSSL library supported, including the broken SSLv3). -+.IP "\&'\fBSSL23\fP' -+see '\fBauto\fP'. -+.IP \&'\fBSSL3\fP' -+Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it -+if possible. This will make fetchmail negotiate SSLv3 only, and is the -+only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3. -+.IP \&'\fBSSL3+\fP' -+same as '\fBauto\fP', but permit SSLv3 as well. This is the only way -+besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3. -+.IP \&'\fBTLS1\fP' -+Require TLSv1. This does not negotiate TLSv1.1 or newer, and is -+discouraged. Replace by TLS1+ unless the latter chokes your server. -+.IP \&'\fBTLS1+\fP' -+Since v6.4.0. See 'fBauto\fP'. -+.IP \&'\fBTLS1.1\fP' -+Since v6.4.0. Require TLS v1.1 exactly. -+.IP \&'\fBTLS1.1+\fP' -+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer. -+.IP \&'\fBTLS1.2\fP' -+Since v6.4.0. Require TLS v1.2 exactly. -+.IP '\fBTLS1.2+\fP' -+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer. -+.IP "Unrecognized parameters" -+are treated the same as '\fBauto\fP'. -+.RE -+.IP -+NOTE: you should hardly ever need to use anything other than '' (to -+force an unencrypted connection) or 'auto' (to enforce TLS). - .TP - .B \-\-sslcertck - (Keyword: sslcertck) - .br --Causes fetchmail to strictly check the server certificate against a set of --local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP --options). If the server certificate cannot be obtained or is not signed by one --of the trusted ones (directly or indirectly), the SSL connection will fail, --regardless of the \fBsslfingerprint\fP option. -+Causes fetchmail to require that SSL/TLS be used and disconnect if it -+can not successfully negotiate SSL or TLS, or if it cannot successfully -+verify and validate the certificate and follow it to a trust anchor (or -+trusted root certificate). The trust anchors are given as a set of local -+trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP -+options). If the server certificate cannot be obtained or is not signed -+by one of the trusted ones (directly or indirectly), fetchmail will -+disconnect, regardless of the \fBsslfingerprint\fP option. - .IP - Note that CRL (certificate revocation lists) are only supported in - OpenSSL 0.9.7 and newer! Your system clock should also be reasonably -@@ -1202,31 +1235,33 @@ capability response. Specify a user opti - username and the part to the right as the NTLM domain. - - .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) -+.PP All retrieval protocols can use SSL or TLS wrapping for the -+transport. Additionally, POP3 and IMAP retrival can also negotiate -+SSL/TLS by means of STARTTLS (or STLS). - .PP - Note that fetchmail currently uses the OpenSSL library, which is - severely underdocumented, so failures may occur just because the - programmers are not aware of OpenSSL's requirement of the day. - For instance, since v6.3.16, fetchmail calls - OpenSSL_add_all_algorithms(), which is necessary to support certificates --using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the --documentation and not at all obvious. Please do not hesitate to report --subtle SSL failures. --.PP --You can access SSL encrypted services by specifying the \-\-ssl option. --You can also do this using the "ssl" user option in the .fetchmailrc --file. With SSL encryption enabled, queries are initiated over a --connection after negotiating an SSL session, and the connection fails if --SSL cannot be negotiated. Some services, such as POP3 and IMAP, have -+using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in -+the documentation and not at all obvious. Please do not hesitate to -+report subtle SSL failures. -+.PP -+You can access SSL encrypted services by specifying the options starting -+with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. -+You can also do this using the corresponding user options in the .fetchmailrc -+file. Some services, such as POP3 and IMAP, have - different well known ports defined for the SSL encrypted services. The - encrypted ports will be selected automatically when SSL is enabled and --no explicit port is specified. The \-\-sslproto 'SSL3' option should be --used to select the SSLv3 protocol (default if unset: v2 or v3). Also, --the \-\-sslcertck command line or sslcertck run control file option --should be used to force strict certificate checking - see below. -+no explicit port is specified. Also, the \-\-sslcertck command line or -+sslcertck run control file option should be used to force strict -+certificate checking - see below. - .PP - If SSL is not configured, fetchmail will usually opportunistically try to use --STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS --connections use the same port as the unencrypted version of the -+STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and -+defeated by using \-\-sslproto\~''. -+TLS connections use the same port as the unencrypted version of the - protocol and negotiate TLS via special command. The \-\-sslcertck - command line or sslcertck run control file option should be used to - force strict certificate checking - see below. ---- fetchmail-6.3.26.orig/imap.c -+++ fetchmail-6.3.26/imap.c -@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct - /* apply for connection authorization */ - { - int ok = 0; -+ char *commonname; -+ - (void)greeting; - - /* -@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct - return(PS_SUCCESS); - } - --#ifdef SSL_ENABLE -- if (maybe_tls(ctl)) { -- char *commonname; -- -- commonname = ctl->server.pollname; -- if (ctl->server.via) -- commonname = ctl->server.via; -- if (ctl->sslcommonname) -- commonname = ctl->sslcommonname; -+ commonname = ctl->server.pollname; -+ if (ctl->server.via) -+ commonname = ctl->server.via; -+ if (ctl->sslcommonname) -+ commonname = ctl->sslcommonname; - -- if (strstr(capabilities, "STARTTLS") -- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ -+#ifdef SSL_ENABLE -+ if (maybe_starttls(ctl)) { -+ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) -+ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ - { -- /* Use "tls1" rather than ctl->sslproto because tls1 is the only -- * protocol that will work with STARTTLS. Don't need to worry -- * whether TLS is mandatory or opportunistic unless SSLOpen() fails -- * (see below). */ -+ /* Don't need to worry whether TLS is mandatory or -+ * opportunistic unless SSLOpen() fails (see below). */ - if (gen_transact(sock, "STARTTLS") == PS_SUCCESS -- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, -+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, - ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, - ctl->server.pollname, &ctl->remotename)) != -1) - { -@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct - { - report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); - } -- } else if (must_tls(ctl)) { -+ } else if (must_starttls(ctl)) { - /* Config required TLS but we couldn't guarantee it, so we must - * stop. */ - set_timeout(0); -@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct - /* Usable. Proceed with authenticating insecurely. */ - } - } -+ } else { -+ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { -+ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); -+ } - } - #endif /* SSL_ENABLE */ - ---- fetchmail-6.3.26.orig/po/Makevars -+++ fetchmail-6.3.26/po/Makevars -@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis - # This is the list of locale categories, beyond LC_MESSAGES, for which the - # message catalogs shall be used. It is usually empty. - EXTRA_LOCALE_CATEGORIES = -+ -+# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt' -+# context. Possible values are "yes" and "no". Set this to yes if the -+# package uses functions taking also a message context, like pgettext(), or -+# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument. -+USE_MSGCTXT = no -+ -+# These options get passed to msgmerge. -+# Useful options are in particular: -+# --previous to keep previous msgids of translated messages, -+# --quiet to reduce the verbosity. -+MSGMERGE_OPTIONS = ---- fetchmail-6.3.26.orig/pop3.c -+++ fetchmail-6.3.26/pop3.c -@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct - #endif /* OPIE_ENABLE */ - #ifdef SSL_ENABLE - flag connection_may_have_tls_errors = FALSE; -+ char *commonname; - #endif /* SSL_ENABLE */ - - done_capa = FALSE; -@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct - (ctl->server.authenticate == A_KERBEROS_V5) || - (ctl->server.authenticate == A_OTP) || - (ctl->server.authenticate == A_CRAM_MD5) || -- maybe_tls(ctl)) -+ maybe_starttls(ctl)) - { - if ((ok = capa_probe(sock)) != PS_SUCCESS) - /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ -@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct - (ok == PS_SOCKET && !ctl->wehaveauthed)) - { - #ifdef SSL_ENABLE -- if (must_tls(ctl)) { -+ if (must_starttls(ctl)) { - /* fail with mandatory STLS without repoll */ - report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); - report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); - return ok; -- } else if (maybe_tls(ctl)) { -+ } else if (maybe_starttls(ctl)) { - /* defeat opportunistic STLS */ - xfree(ctl->sslproto); - ctl->sslproto = xstrdup(""); -@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct - } - - #ifdef SSL_ENABLE -- if (maybe_tls(ctl)) { -- char *commonname; -+ commonname = ctl->server.pollname; -+ if (ctl->server.via) -+ commonname = ctl->server.via; -+ if (ctl->sslcommonname) -+ commonname = ctl->sslcommonname; - -- commonname = ctl->server.pollname; -- if (ctl->server.via) -- commonname = ctl->server.via; -- if (ctl->sslcommonname) -- commonname = ctl->sslcommonname; -- -- if (has_stls -- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ -+ if (maybe_starttls(ctl)) { -+ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ - { -- /* Use "tls1" rather than ctl->sslproto because tls1 is the only -- * protocol that will work with STARTTLS. Don't need to worry -- * whether TLS is mandatory or opportunistic unless SSLOpen() fails -- * (see below). */ -+ /* Don't need to worry whether TLS is mandatory or -+ * opportunistic unless SSLOpen() fails (see below). */ - if (gen_transact(sock, "STLS") == PS_SUCCESS -- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, -+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, - ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, - ctl->server.pollname, &ctl->remotename)) != -1) - { -@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct - { - report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); - } -- } else if (must_tls(ctl)) { -+ } else if (must_starttls(ctl)) { - /* Config required TLS but we couldn't guarantee it, so we must - * stop. */ - set_timeout(0); -@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct - } - } - } -- } /* maybe_tls() */ -+ } else { /* maybe_starttls() */ -+ if (has_stls && outlevel >= O_VERBOSE) { -+ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); -+ } -+ } /* maybe_starttls() */ - #endif /* SSL_ENABLE */ - - /* ---- fetchmail-6.3.26.orig/socket.c -+++ fetchmail-6.3.26/socket.c -@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char - { - struct stat randstat; - int i; -+ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - long sslopts = SSL_OP_ALL; -+ int ssle_connect = 0; - - SSL_load_error_strings(); - SSL_library_init(); -@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char - /* Make sure a connection referring to an older context is not left */ - _ssl_context[sock] = NULL; - if(myproto) { -- if(!strcasecmp("ssl2",myproto)) { --#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 -- _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); -+ if(!strcasecmp("ssl3",myproto)) { -+#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) -+ _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); -+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; - #else -- report(stderr, GT_("Your operating system does not support SSLv2.\n")); -+ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); - return -1; - #endif -- } else if(!strcasecmp("ssl3",myproto)) { -- _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); -+ } else if(!strcasecmp("ssl3+",myproto)) { -+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; -+ myproto = NULL; - } else if(!strcasecmp("tls1",myproto)) { - _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); -- } else if (!strcasecmp("ssl23",myproto)) { -+ } else if(!strcasecmp("tls1+",myproto)) { -+ myproto = NULL; -+#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION -+ } else if(!strcasecmp("tls1.1",myproto)) { -+ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); -+ } else if(!strcasecmp("tls1.1+",myproto)) { -+ myproto = NULL; -+ avoid_ssl_versions |= SSL_OP_NO_TLSv1; -+#else -+ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { -+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); -+ return -1; -+#endif -+#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION -+ } else if(!strcasecmp("tls1.2",myproto)) { -+ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); -+ } else if(!strcasecmp("tls1.2+",myproto)) { -+ myproto = NULL; -+ avoid_ssl_versions |= SSL_OP_NO_TLSv1; -+ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; -+#else -+ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { -+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); -+ return -1; -+#endif -+ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { - myproto = NULL; - } else { -- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); -+ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); - myproto = NULL; - } - } -- if(!myproto) { -+ // do not combine into an else { } as myproto may be nulled -+ // above! -+ if (!myproto) { -+ // SSLv23 is a misnomer and will in fact use the best -+ // available protocol, subject to SSL_OP_NO* -+ // constraints. - _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); - } - if(_ctx[sock] == NULL) { -@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char - sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - } - -- SSL_CTX_set_options(_ctx[sock], sslopts); -+ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); - - if (certck) { - SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); -@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char - } - - if (SSL_set_fd(_ssl_context[sock], sock) == 0 -- || SSL_connect(_ssl_context[sock]) < 1) { -+ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { -+ int e = errno; -+ unsigned long ssle_err_from_queue = ERR_peek_error(); -+ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect); - ERR_print_errors_fp(stderr); -+ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) { -+ if (0 == ssle_connect) { -+ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n")); -+ } else if (ssle_connect < 0) { -+ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e)); -+ } -+ } - SSL_free( _ssl_context[sock] ); - _ssl_context[sock] = NULL; - SSL_CTX_free(_ctx[sock]); -@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char - return(-1); - } - -+ if (outlevel >= O_VERBOSE) { -+ SSL_CIPHER const *sc; -+ int bitsmax, bitsused; -+ -+ const char *ver; -+ -+ ver = SSL_get_version(_ssl_context[sock]); -+ -+ sc = SSL_get_current_cipher(_ssl_context[sock]); -+ if (!sc) { -+ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); -+ } else { -+ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); -+ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), -+ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); -+ } -+ } -+ - /* Paranoia: was the callback not called as we expected? */ - if (!_depth0ck) { - report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); ---- /dev/null -+++ fetchmail-6.3.26/starttls.c -@@ -0,0 +1,37 @@ -+/** \file tls.c - collect common TLS functionality -+ * \author Matthias Andree -+ * \date 2006 -+ */ -+ -+#include "fetchmail.h" -+ -+#include <string.h> -+ -+#ifdef HAVE_STRINGS_H -+#include <strings.h> -+#endif -+ -+/** return true if user allowed opportunistic STARTTLS/STLS */ -+int maybe_starttls(struct query *ctl) { -+#ifdef SSL_ENABLE -+ /* opportunistic or forced TLS */ -+ return (!ctl->sslproto || strlen(ctl->sslproto)) -+ && !ctl->use_ssl; -+#else -+ (void)ctl; -+ return 0; -+#endif -+} -+ -+/** return true if user requires STARTTLS/STLS, note though that this -+ * code must always use a logical AND with maybe_tls(). */ -+int must_starttls(struct query *ctl) { -+#ifdef SSL_ENABLE -+ return maybe_starttls(ctl) -+ && (ctl->sslfingerprint || ctl->sslcertck -+ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); -+#else -+ (void)ctl; -+ return 0; -+#endif -+} diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb index 5af5d0df62..21caa918a6 100644 --- a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb +++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb @@ -3,15 +3,14 @@ HOMEPAGE = "http://www.fetchmail.info/" DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC." SECTION = "mail" LICENSE = "GPLv2 & MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c" +LIC_FILES_CHKSUM = "file://COPYING;md5=ca53985c1fd053ae0bffffaa89ed49f1" DEPENDS = "openssl" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ - file://02_remove_SSLv3.patch \ " -SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3" -SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850" +SRC_URI[md5sum] = "c2b836a919cdd4ec53b06b70e0aa3e63" +SRC_URI[sha256sum] = "3f33f11dd08c3e8cc3e9d18eec686b1626d4818f4d5a72791507bbc4dce6a9a0" inherit autotools gettext python-dir pythonnative |