From 358ad2b9cf55f8c4d6de88b7ef74674740543fdc Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 5 Sep 2018 13:48:31 -0700
Subject: fetchmail: Fix build with OpenSSL 1.1.x

Backport a patch from Debian

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../fetchmail/fetchmail/02_remove_SSLv3.patch      | 1576 ++++++++++++++++++++
 .../recipes-support/fetchmail/fetchmail_6.3.26.bb  |    4 +-
 2 files changed, 1579 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch

(limited to 'meta-networking')

diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
new file mode 100644
index 0000000000..95cfa2f4a1
--- /dev/null
+++ b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
@@ -0,0 +1,1576 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ fetchmail (6.3.26-2) unstable; urgency=low
+ .
+   * New maintainer (closes: #800750).
+   * Backport upstream fix for SSLv3 removal (closes: #804604) and do not
+     recommend SSLv3 (closes: #801178).
+   * Remove quilt and its usage.
+   * Add dh-python to build depends.
+   * Update upstream URLs.
+   * Update watch file.
+   * Update Standards-Version to 3.9.6 .
+Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Bug-Debian: https://bugs.debian.org/800750
+Bug-Debian: https://bugs.debian.org/801178
+Bug-Debian: https://bugs.debian.org/804604
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- fetchmail-6.3.26.orig/Makefile.am
++++ fetchmail-6.3.26/Makefile.am
+@@ -31,7 +31,7 @@ libfm_a_SOURCES=	xmalloc.c base64.c rfc8
+ 			servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ 			smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ 			libesmtp/gethostbyname.h libesmtp/gethostbyname.c \
+-			smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \
++			smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
+ 			xmalloc.h sdump.h sdump.c x509_name_match.c \
+ 			fm_strl.h md5c.c
+ if NTLM_ENABLE
+--- fetchmail-6.3.26.orig/Makefile.in
++++ fetchmail-6.3.26/Makefile.in
+@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
+ 	rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ 	smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ 	libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
+-	fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
++	fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ 	x509_name_match.c fm_strl.h md5c.c ntlmsubr.c
+ @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT)
+ am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \
+ 	rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \
+ 	servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \
+ 	smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \
+-	fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \
++	fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \
+ 	sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \
+ 	$(am__objects_1)
+ libfm_a_OBJECTS = $(am_libfm_a_OBJECTS)
+@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc
+ 	servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ 	smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ 	libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
+-	fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
++	fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ 	x509_name_match.c fm_strl.h md5c.c $(am__append_1)
+ libfm_a_LIBADD = $(EXTRAOBJ)
+ libfm_a_DEPENDENCIES = $(EXTRAOBJ)
+--- fetchmail-6.3.26.orig/NEWS
++++ fetchmail-6.3.26/NEWS
+@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.)
+ * The --bsmtp - mode of operation may be removed in a future release.
+ * Given that OpenSSL is severely underdocumented, and needs license exceptions,
+   fetchmail may switch to a different SSL library.
+-* SSLv2 support will be removed from a future fetchmail release. It has been
+-  obsolete for more than a decade.
+ 
+ --------------------------------------------------------------------------------
+ 
+--- fetchmail-6.3.26.orig/README.SSL
++++ fetchmail-6.3.26/README.SSL
+@@ -11,36 +11,45 @@ specific to fetchmail.
+ In case of troubles, mail the README.SSL-SERVER file to your ISP and 
+ have them check their server configuration against it.
+ 
+-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether 
+-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is 
+-totally SSL-wrapped on a separate port.  For compatibility reasons, this cannot 
+-be fixed in a bugfix release.
++Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
++service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
++or is totally SSL-wrapped on a separate port.  For compatibility
++reasons, this cannot be fixed in a bugfix or minor release.
++
++Also, fetchmail 6.4.0 and newer releases changed some of the semantics
++as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
++If your server does not support this, you may have to specify --sslproto
++ssl3.  This is in order to prefer the newer TLS protocols, because SSLv2
++and v3 are broken.
+ 
+-	-- Matthias Andree, 2009-05-09
++       -- Matthias Andree, 2015-01-16
+ 
+ 
+ Quickstart
+ ----------
+ 
++Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
++TLSv1.2 support.
++
+ For use of SSL or TLS with in-band negotiation on the regular service's port, 
+ i. e. with STLS or STARTTLS, use these command line options
+ 
+-    --sslproto tls1 --sslcertck
++    --sslproto auto --sslcertck
+ 
+ or these options in the rcfile (after the respective "user"... options)
+ 
+-      sslproto tls1   sslcertck
++      sslproto auto   sslcertck
+ 
+ 
+ For use of SSL or TLS on a separate port, if the whole TCP connection is 
+-SSL-encrypted from the very beginning, use these command line options (in the 
+-rcfile, omit all leading "--"):
++SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
++command line options (in the rcfile, omit all leading "--"):
+ 
+-    --ssl --sslproto ssl3 --sslcertck
++    --ssl --sslproto auto --sslcertck
+ 
+ or these options in the rcfile (after the respective "user"... options)
+ 
+-      ssl   sslproto ssl3   sslcertck
++      ssl   sslproto auto   sslcertck
+ 
+ 
+ Background and use (long version :-))
+--- fetchmail-6.3.26.orig/config.h.in
++++ fetchmail-6.3.26/config.h.in
+@@ -49,9 +49,9 @@
+    don't. */
+ #undef HAVE_DECL_H_ERRNO
+ 
+-/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0
++/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0
+    if you don't. */
+-#undef HAVE_DECL_SSLV2_CLIENT_METHOD
++#undef HAVE_DECL_SSLV3_CLIENT_METHOD
+ 
+ /* Define to 1 if you have the declaration of `strerror', and to 0 if you
+    don't. */
+--- fetchmail-6.3.26.orig/configure
++++ fetchmail-6.3.26/configure
+@@ -1,13 +1,11 @@
+ #! /bin/sh
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26.
++# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26.
+ #
+ # Report bugs to <fetchmail-users@lists.berlios.de>.
+ #
+ #
+-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
+-# Foundation, Inc.
++# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
+ #
+ #
+ # This configure script is free software; the Free Software Foundation
+@@ -136,6 +134,31 @@ export LANGUAGE
+ # CDPATH.
+ (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+ 
++# Use a proper internal environment variable to ensure we don't fall
++  # into an infinite loop, continuously re-executing ourselves.
++  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
++    _as_can_reexec=no; export _as_can_reexec;
++    # We cannot yet assume a decent shell, so we have to provide a
++# neutralization value for shells without unset; and this also
++# works around shells that cannot unset nonexistent variables.
++# Preserve -v and -x to the replacement shell.
++BASH_ENV=/dev/null
++ENV=/dev/null
++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++case $- in # ((((
++  *v*x* | *x*v* ) as_opts=-vx ;;
++  *v* ) as_opts=-v ;;
++  *x* ) as_opts=-x ;;
++  * ) as_opts= ;;
++esac
++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
++# Admittedly, this is quite paranoid, since all the known shells bail
++# out after a failed `exec'.
++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
++as_fn_exit 255
++  fi
++  # We don't want this to propagate to other subprocesses.
++          { _as_can_reexec=; unset _as_can_reexec;}
+ if test "x$CONFIG_SHELL" = x; then
+   as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
+   emulate sh
+@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test
+ else
+   exitcode=1; echo positional parameters were not saved.
+ fi
+-test x\$exitcode = x0 || exit 1"
++test x\$exitcode = x0 || exit 1
++test -x / || exit 1"
+   as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
+   as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
+   eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
+@@ -214,21 +238,25 @@ IFS=$as_save_IFS
+ 
+ 
+       if test "x$CONFIG_SHELL" != x; then :
+-  # We cannot yet assume a decent shell, so we have to provide a
+-	# neutralization value for shells without unset; and this also
+-	# works around shells that cannot unset nonexistent variables.
+-	# Preserve -v and -x to the replacement shell.
+-	BASH_ENV=/dev/null
+-	ENV=/dev/null
+-	(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+-	export CONFIG_SHELL
+-	case $- in # ((((
+-	  *v*x* | *x*v* ) as_opts=-vx ;;
+-	  *v* ) as_opts=-v ;;
+-	  *x* ) as_opts=-x ;;
+-	  * ) as_opts= ;;
+-	esac
+-	exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
++  export CONFIG_SHELL
++             # We cannot yet assume a decent shell, so we have to provide a
++# neutralization value for shells without unset; and this also
++# works around shells that cannot unset nonexistent variables.
++# Preserve -v and -x to the replacement shell.
++BASH_ENV=/dev/null
++ENV=/dev/null
++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++case $- in # ((((
++  *v*x* | *x*v* ) as_opts=-vx ;;
++  *v* ) as_opts=-v ;;
++  *x* ) as_opts=-x ;;
++  * ) as_opts= ;;
++esac
++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
++# Admittedly, this is quite paranoid, since all the known shells bail
++# out after a failed `exec'.
++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
++exit 255
+ fi
+ 
+     if test x$as_have_required = xno; then :
+@@ -331,6 +359,14 @@ $as_echo X"$as_dir" |
+ 
+ 
+ } # as_fn_mkdir_p
++
++# as_fn_executable_p FILE
++# -----------------------
++# Test if FILE is an executable regular file.
++as_fn_executable_p ()
++{
++  test -f "$1" && test -x "$1"
++} # as_fn_executable_p
+ # as_fn_append VAR VALUE
+ # ----------------------
+ # Append the text in VALUE to the end of the definition contained in VAR. Take
+@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
+   chmod +x "$as_me.lineno" ||
+     { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+ 
++  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
++  # already done that, so ensure we don't try to do so again and fall
++  # in an infinite loop.  This has already happened in practice.
++  _as_can_reexec=no; export _as_can_reexec
+   # Don't try to exec as it changes $[0], causing all sort of problems
+   # (the dirname of $[0] is not the place where we might find the
+   # original and so on.  Autoconf is especially sensitive to this).
+@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
+     # ... but there are two gotchas:
+     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-    # In both cases, we have to default to `cp -p'.
++    # In both cases, we have to default to `cp -pR'.
+     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+-      as_ln_s='cp -p'
++      as_ln_s='cp -pR'
+   elif ln conf$$.file conf$$ 2>/dev/null; then
+     as_ln_s=ln
+   else
+-    as_ln_s='cp -p'
++    as_ln_s='cp -pR'
+   fi
+ else
+-  as_ln_s='cp -p'
++  as_ln_s='cp -pR'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+@@ -507,28 +547,8 @@ else
+   as_mkdir_p=false
+ fi
+ 
+-if test -x / >/dev/null 2>&1; then
+-  as_test_x='test -x'
+-else
+-  if ls -dL / >/dev/null 2>&1; then
+-    as_ls_L_option=L
+-  else
+-    as_ls_L_option=
+-  fi
+-  as_test_x='
+-    eval sh -c '\''
+-      if test -d "$1"; then
+-	test -d "$1/.";
+-      else
+-	case $1 in #(
+-	-*)set "./$1";;
+-	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+-	???[sx]*):;;*)false;;esac;fi
+-    '\'' sh
+-  '
+-fi
+-as_executable_p=$as_test_x
++as_test_x='test -x'
++as_executable_p=as_fn_executable_p
+ 
+ # Sed expression to map a string onto a valid CPP name.
+ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+@@ -742,6 +762,7 @@ infodir
+ docdir
+ oldincludedir
+ includedir
++runstatedir
+ localstatedir
+ sharedstatedir
+ sysconfdir
+@@ -841,6 +862,7 @@ datadir='${datarootdir}'
+ sysconfdir='${prefix}/etc'
+ sharedstatedir='${prefix}/com'
+ localstatedir='${prefix}/var'
++runstatedir='${localstatedir}/run'
+ includedir='${prefix}/include'
+ oldincludedir='/usr/include'
+ docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+@@ -1093,6 +1115,15 @@ do
+   | -silent | --silent | --silen | --sile | --sil)
+     silent=yes ;;
+ 
++  -runstatedir | --runstatedir | --runstatedi | --runstated \
++  | --runstate | --runstat | --runsta | --runst | --runs \
++  | --run | --ru | --r)
++    ac_prev=runstatedir ;;
++  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
++  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
++  | --run=* | --ru=* | --r=*)
++    runstatedir=$ac_optarg ;;
++
+   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+     ac_prev=sbindir ;;
+   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+@@ -1230,7 +1261,7 @@ fi
+ for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ 		datadir sysconfdir sharedstatedir localstatedir includedir \
+ 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+-		libdir localedir mandir
++		libdir localedir mandir runstatedir
+ do
+   eval ac_val=\$$ac_var
+   # Remove trailing slashes.
+@@ -1258,8 +1289,6 @@ target=$target_alias
+ if test "x$host_alias" != x; then
+   if test "x$build_alias" = x; then
+     cross_compiling=maybe
+-    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
+-    If a cross compiler is detected then cross compile mode will be used" >&2
+   elif test "x$build_alias" != "x$host_alias"; then
+     cross_compiling=yes
+   fi
+@@ -1385,6 +1414,7 @@ Fine tuning of the installation director
+   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
+   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
+   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
++  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
+   --libdir=DIR            object code libraries [EPREFIX/lib]
+   --includedir=DIR        C header files [PREFIX/include]
+   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
+@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat
+ if $ac_init_version; then
+   cat <<\_ACEOF
+ fetchmail configure 6.3.26
+-generated by GNU Autoconf 2.68
++generated by GNU Autoconf 2.69
+ 
+-Copyright (C) 2010 Free Software Foundation, Inc.
++Copyright (C) 2012 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ _ACEOF
+@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5
+ 	 test ! -s conftest.err
+        } && test -s conftest$ac_exeext && {
+ 	 test "$cross_compiling" = yes ||
+-	 $as_test_x conftest$ac_exeext
++	 test -x conftest$ac_exeext
+        }; then :
+   ac_retval=0
+ else
+@@ -2030,7 +2060,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) >= 0)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+ 
+   ;
+   return 0;
+@@ -2046,7 +2077,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+ 
+   ;
+   return 0;
+@@ -2072,7 +2104,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) < 0)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+ 
+   ;
+   return 0;
+@@ -2088,7 +2121,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) >= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+ 
+   ;
+   return 0;
+@@ -2122,7 +2156,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+ 
+   ;
+   return 0;
+@@ -2195,7 +2230,7 @@ This file contains any messages produced
+ running configure, to aid debugging if configure makes a mistake.
+ 
+ It was created by fetchmail $as_me 6.3.26, which was
+-generated by GNU Autoconf 2.68.  Invocation command line was
++generated by GNU Autoconf 2.69.  Invocation command line was
+ 
+   $ $0 $@
+ 
+@@ -2689,7 +2724,7 @@ case $as_dir/ in #((
+     # by default.
+     for ac_prog in ginstall scoinst install; do
+       for ac_exec_ext in '' $ac_executable_extensions; do
+-	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
++	if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
+ 	  if test $ac_prog = install &&
+ 	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+ 	    # AIX install.  It has an incompatible calling convention.
+@@ -2858,7 +2893,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -2898,7 +2933,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_ac_ct_STRIP="strip"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -2949,7 +2984,7 @@ do
+   test -z "$as_dir" && as_dir=.
+     for ac_prog in mkdir gmkdir; do
+ 	 for ac_exec_ext in '' $ac_executable_extensions; do
+-	   { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
++	   as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
+ 	   case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+ 	     'mkdir (GNU coreutils) '* | \
+ 	     'mkdir (coreutils) '* | \
+@@ -3002,7 +3037,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_AWK="$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3295,7 +3330,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3466,7 +3501,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_AWK="$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3512,7 +3547,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_CC="${ac_tool_prefix}gcc"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3552,7 +3587,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_ac_ct_CC="gcc"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3605,7 +3640,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_CC="${ac_tool_prefix}cc"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3646,7 +3681,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+        continue
+@@ -3704,7 +3739,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -3748,7 +3783,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_ac_ct_CC="$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
+ /* end confdefs.h.  */
+ #include <stdarg.h>
+ #include <stdio.h>
+-#include <sys/types.h>
+-#include <sys/stat.h>
++struct stat;
+ /* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+ struct buf { int x; };
+ FILE * (*rcsopen) (struct buf *, struct stat *, int);
+@@ -4751,7 +4785,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -4791,7 +4825,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_ac_ct_RANLIB="ranlib"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -4859,7 +4893,7 @@ do
+     for ac_prog in grep ggrep; do
+     for ac_exec_ext in '' $ac_executable_extensions; do
+       ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
++      as_fn_executable_p "$ac_path_GREP" || continue
+ # Check for GNU ac_path_GREP and select it if it is found.
+   # Check for GNU $ac_path_GREP
+ case `"$ac_path_GREP" --version 2>&1` in
+@@ -4925,7 +4959,7 @@ do
+     for ac_prog in egrep; do
+     for ac_exec_ext in '' $ac_executable_extensions; do
+       ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
++      as_fn_executable_p "$ac_path_EGREP" || continue
+ # Check for GNU ac_path_EGREP and select it if it is found.
+   # Check for GNU $ac_path_EGREP
+ case `"$ac_path_EGREP" --version 2>&1` in
+@@ -5132,8 +5166,8 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+-#	  define __EXTENSIONS__ 1
+-	  $ac_includes_default
++#         define __EXTENSIONS__ 1
++          $ac_includes_default
+ int
+ main ()
+ {
+@@ -5513,11 +5547,11 @@ else
+ int
+ main ()
+ {
+-/* FIXME: Include the comments suggested by Paul. */
++
+ #ifndef __cplusplus
+-  /* Ultrix mips cc rejects this.  */
++  /* Ultrix mips cc rejects this sort of thing.  */
+   typedef int charset[2];
+-  const charset cs;
++  const charset cs = { 0, 0 };
+   /* SunOS 4.1.1 cc rejects this.  */
+   char const *const *pcpcc;
+   char **ppc;
+@@ -5534,8 +5568,9 @@ main ()
+   ++pcpcc;
+   ppc = (char**) pcpcc;
+   pcpcc = (char const *const *) ppc;
+-  { /* SCO 3.2v4 cc rejects this.  */
+-    char *t;
++  { /* SCO 3.2v4 cc rejects this sort of thing.  */
++    char tx;
++    char *t = &tx;
+     char const *s = 0 ? (char *) 0 : (char const *) 0;
+ 
+     *t++ = 0;
+@@ -5551,10 +5586,10 @@ main ()
+     iptr p = 0;
+     ++p;
+   }
+-  { /* AIX XL C 1.02.0.0 rejects this saying
++  { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
+        "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+-    struct s { int j; const int *ap[3]; };
+-    struct s *b; b->j = 5;
++    struct s { int j; const int *ap[3]; } bx;
++    struct s *b = &bx; b->j = 5;
+   }
+   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+     const int foo = 10;
+@@ -5600,7 +5635,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_LEX="$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -5632,7 +5667,8 @@ a { ECHO; }
+ b { REJECT; }
+ c { yymore (); }
+ d { yyless (1); }
+-e { yyless (input () != 0); }
++e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument.  */
++    yyless ((input () != 0)); }
+ f { unput (yytext[0]); }
+ . { BEGIN INITIAL; }
+ %%
+@@ -5792,7 +5828,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_prog_YACC="$ac_prog"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -6044,7 +6080,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -8548,7 +8584,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -8590,7 +8626,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -8632,7 +8668,7 @@ do
+   IFS=$as_save_IFS
+   test -z "$as_dir" && as_dir=.
+     for ac_exec_ext in '' $ac_executable_extensions; do
+-  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+     ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext"
+     $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+     break 2
+@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r
+ fi
+ 
+ case "$LIBS" in *-lssl*)
+-	ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h>
++	ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h>
+ "
+-if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then :
++if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then :
+   ac_have_decl=1
+ else
+   ac_have_decl=0
+ fi
+ 
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl
++#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl
+ _ACEOF
+ 
+ 	;;
+@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then
+     # ... but there are two gotchas:
+     # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+     # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+-    # In both cases, we have to default to `cp -p'.
++    # In both cases, we have to default to `cp -pR'.
+     ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+-      as_ln_s='cp -p'
++      as_ln_s='cp -pR'
+   elif ln conf$$.file conf$$ 2>/dev/null; then
+     as_ln_s=ln
+   else
+-    as_ln_s='cp -p'
++    as_ln_s='cp -pR'
+   fi
+ else
+-  as_ln_s='cp -p'
++  as_ln_s='cp -pR'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+@@ -11403,28 +11439,16 @@ else
+   as_mkdir_p=false
+ fi
+ 
+-if test -x / >/dev/null 2>&1; then
+-  as_test_x='test -x'
+-else
+-  if ls -dL / >/dev/null 2>&1; then
+-    as_ls_L_option=L
+-  else
+-    as_ls_L_option=
+-  fi
+-  as_test_x='
+-    eval sh -c '\''
+-      if test -d "$1"; then
+-	test -d "$1/.";
+-      else
+-	case $1 in #(
+-	-*)set "./$1";;
+-	esac;
+-	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+-	???[sx]*):;;*)false;;esac;fi
+-    '\'' sh
+-  '
+-fi
+-as_executable_p=$as_test_x
++
++# as_fn_executable_p FILE
++# -----------------------
++# Test if FILE is an executable regular file.
++as_fn_executable_p ()
++{
++  test -f "$1" && test -x "$1"
++} # as_fn_executable_p
++as_test_x='test -x'
++as_executable_p=as_fn_executable_p
+ 
+ # Sed expression to map a string onto a valid CPP name.
+ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
+ # values after options handling.
+ ac_log="
+ This file was extended by fetchmail $as_me 6.3.26, which was
+-generated by GNU Autoconf 2.68.  Invocation command line was
++generated by GNU Autoconf 2.69.  Invocation command line was
+ 
+   CONFIG_FILES    = $CONFIG_FILES
+   CONFIG_HEADERS  = $CONFIG_HEADERS
+@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ
+ ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+ fetchmail config.status 6.3.26
+-configured by $0, generated by GNU Autoconf 2.68,
++configured by $0, generated by GNU Autoconf 2.69,
+   with options \\"\$ac_cs_config\\"
+ 
+-Copyright (C) 2010 Free Software Foundation, Inc.
++Copyright (C) 2012 Free Software Foundation, Inc.
+ This config.status script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it."
+ 
+@@ -11606,7 +11630,7 @@ fi
+ _ACEOF
+ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ if \$ac_cs_recheck; then
+-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+   shift
+   \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+   CONFIG_SHELL='$SHELL'
+--- fetchmail-6.3.26.orig/configure.ac
++++ fetchmail-6.3.26/configure.ac
+@@ -802,7 +802,7 @@ else
+ fi
+ 
+ case "$LIBS" in *-lssl*)
+-	AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
++	AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
+ 	;;
+ esac
+ 
+--- fetchmail-6.3.26.orig/fetchmail-FAQ.html
++++ fetchmail-6.3.26/fetchmail-FAQ.html
+@@ -667,8 +667,8 @@ because there is not currently a standar
+ also uses this method, so the two will interoperate happily. They
+ better, because this is how Craig gets his mail ;-)</p>
+ 
+-<p>Finally, you can use <a href="#K5">SSL</a> for complete
+-end-to-end encryption if you have an SSL-enabled mailserver.</p>
++<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
++end-to-end encryption if you have a TLS-enabled mailserver.</p>
+ 
+ <h2><a id="G11" name="G11">G11. Is any special configuration needed
+ to use a dynamic IP address?</a></h2>
+@@ -2120,7 +2120,7 @@ SSL?</a></h2>
+ 
+ <p>You'll need to have the <a
+ href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
+-should at least be version 0.9.7.
++should at least be version 0.9.8, with 1.0.1 preferred.
+ Configure with --with-ssl. If you have the OpenSSL libraries
+ installed in commonly-used default locations, this will
+ suffice. If you have them installed in a non-default location,
+@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
+ <p>Fetchmail binaries built this way support <code>ssl</code>,
+ <code>sslkey</code>, and <code>sslcert</code> options that control
+ SSL encryption, and will automatically use <code>tls</code> if the
+-server offers it. You will need to have an SSL-enabled mailserver to
++server offers it. You will need to have an SSL/TLS-enabled mailserver to
+ use these options. See the manual page for details and some words
+ of care on the limited security provided.</p>
+ 
+@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s
+         protocol imap username MYUSERNAME password MYPASSWORD
+ </pre>
+ 
+-<p>You should note that SSL is only secure against a "man-in-the-middle"
+-attack if the client is able to verify that the peer's public key is the
+-correct one, and has not been substituted by an attacker. fetchmail can do
+-this in one of two ways: by verifying the SSL certificate, or by checking
+-the fingerprint of the peer's public key.</p>
++<p>You should note that SSL or TLS are only secure against a
++"man-in-the-middle" attack if the client is able to verify that the
++peer's public key is the correct one, and has not been substituted by an
++attacker. fetchmail can do this in one of two ways: by verifying the SSL
++certificate, or by checking the fingerprint of the peer's public
++key.</p>
+ 
+-<p>There are three parts to SSL certificate verification: checking that the
++<p>There are three parts to TLS certificate verification: checking that the
+ domain name in the certificate matches the hostname you asked to connect to;
+ checking that the certificate expiry date has not passed; and checking that
+ the certificate has been signed by a known Certificate Authority (CA). This
+@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati
+ time.  This can however cause problems if the upstream didn't configure
+ his certificates properly.</p>
+ 
+-<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
+-negotiation, add this option:</p>
++<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
++STLS or STARTTLS negotiation, add this option:</p>
++<pre>sslproto ''</pre>
++
++<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
++negotiation where the above does not work, try this option:</p>
+ 
+ <pre>sslproto ssl23</pre>
+ 
+@@ -2876,15 +2881,22 @@ need to say something like '<code>envelo
+ 
+ <pre>
+ Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
+-    by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
+-    for &lt;ksturgeon@fbceg.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
++    by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
++    for &lt;ksturgeon@fbceg.example.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
+ </pre>
+ 
+-<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your
+-mailserver before accepting 'ksturgeon@fbceg.org' as an envelope
++<p>it checks to see if 'iserv.example.net' is a DNS alias of your
++mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope
+ address. This check might fail if your DNS were misconfigured, or
+-if you were using 'no dns' and had failed to declare iserv.ttns.net
+-as an alias of your server.</p>
++if you were using 'no dns' and had failed to declare iserv.example.net
++as an alias of your server. The typical hint is logging similar to:
++<code>line rejected, iserv.example.net is not an alias of the mailserver</code>,
++if you use fetchmail in verbose mode.</p>
++
++<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka
++    <em>iserv.example.net</em></code> statements in the rcfile. Replace
++<em>iserv.example.net</em> by the name you find in <strong>your</strong>
++'by' part of the 'Received:' line.</p>
+ 
+ <h2><a id="M8" name="M8">M8. Users are getting multiple copies of
+ messages.</a></h2>
+@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p>
+ <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my
+ messages.</a></h2>
+ 
++<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p>
++
+ <p>Due to the problem described in <a href="#S2">S2</a>, the
+ IMAP support in fetchmail cannot follow the IMAP protocol 100&nbsp;%.
+ Most of the time it doesn't matter, but if you combine it with an
+@@ -3279,8 +3293,6 @@ it at the end of the message it forwards
+ on, you'll get a message about actual != expected.</li>
+ </ol>
+ 
+-<p>There is no fix for this.</p>
+-
+ <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header
+ 	with Domino IMAP</a></h2>
+ 
+--- fetchmail-6.3.26.orig/fetchmail.c
++++ fetchmail-6.3.26/fetchmail.c
+@@ -54,6 +54,10 @@
+ #define ENETUNREACH   128       /* Interactive doesn't know this */
+ #endif /* ENETUNREACH */
+ 
++#ifdef SSL_ENABLE
++#include <openssl/ssl.h>	/* for OPENSSL_NO_SSL2 and ..._SSL3 checks */
++#endif
++
+ /* prototypes for internal functions */
+ static int load_params(int, char **, int);
+ static void dump_params (struct runctl *runp, struct query *, flag implicit);
+@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) {
+ 		   "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n"
+ 		   "                   Robert M. Funk, Graham Wilson\n"
+ 		   "Copyright (C) 2005 - 2012 Sunil Shetye\n"
+-		   "Copyright (C) 2005 - 2013 Matthias Andree\n"
++		   "Copyright (C) 2005 - 2015 Matthias Andree\n"
+ 		   ));
+ 	fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n"
+ 		   "are welcome to redistribute it under certain conditions. For details,\n"
+@@ -262,6 +266,9 @@ int main(int argc, char **argv)
+ #endif /* ODMR_ENABLE */
+ #ifdef SSL_ENABLE
+ 	"+SSL"
++#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3)
++	"-SSLv3"
++#endif
+ #endif
+ #ifdef OPIE_ENABLE
+ 	"+OPIE"
+--- fetchmail-6.3.26.orig/fetchmail.h
++++ fetchmail-6.3.26/fetchmail.h
+@@ -771,9 +771,9 @@ int servport(const char *service);
+ int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
+ void fm_freeaddrinfo(struct addrinfo *ai);
+ 
+-/* prototypes from tls.c */
+-int maybe_tls(struct query *ctl);
+-int must_tls(struct query *ctl);
++/* prototypes from starttls.c */
++int maybe_starttls(struct query *ctl);
++int must_starttls(struct query *ctl);
+ 
+ /* prototype from rfc822valid.c */
+ int rfc822_valid_msgid(const unsigned char *);
+--- fetchmail-6.3.26.orig/fetchmail.man
++++ fetchmail-6.3.26/fetchmail.man
+@@ -412,23 +412,22 @@ from. The folder information is written
+ .B \-\-ssl
+ (Keyword: ssl)
+ .br
+-Causes the connection to the mail server to be encrypted
+-via SSL.  Connect to the server using the specified base protocol over a
+-connection secured by SSL. This option defeats opportunistic starttls
+-negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
+-\-\-sslcertck to validate the certificates presented by the server and
+-defeat the obsolete SSLv2 negotiation. More information is available in
+-the \fIREADME.SSL\fP file that ships with fetchmail.
+-.IP
+-Note that fetchmail may still try to negotiate SSL through starttls even
+-if this option is omitted. You can use the \-\-sslproto option to defeat
+-this behavior or tell fetchmail to negotiate a particular SSL protocol.
++Causes the connection to the mail server to be encrypted via SSL, by
++negotiating SSL directly after connecting (SSL-wrapped mode).  It is
++highly recommended to use \-\-sslcertck to validate the certificates
++presented by the server.  Please see the description of \-\-sslproto
++below!  More information is available in the \fIREADME.SSL\fP file that
++ships with fetchmail.
++.IP
++Note that even if this option is omitted, fetchmail may still negotiate
++SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature.  You
++can use the \-\-sslproto option to modify that behavior.
+ .IP
+ If no port is specified, the connection is attempted to the well known
+ port of the SSL version of the base protocol.  This is generally a
+ different port than the port used by the base protocol.  For IMAP, this
+ is port 143 for the clear protocol and port 993 for the SSL secured
+-protocol, for POP3, it is port 110 for the clear text and port 995 for
++protocol; for POP3, it is port 110 for the clear text and port 995 for
+ the encrypted variant.
+ .IP
+ If your system lacks the corresponding entries from /etc/services, see
+@@ -470,39 +469,73 @@ cause some complications in daemon mode.
+ .IP
+ Also see \-\-sslcert above.
+ .TP
+-.B \-\-sslproto <name>
+-(Keyword: sslproto)
++.B \-\-sslproto <value>
++(Keyword: sslproto, NOTE: semantic changes since v6.4.0)
+ .br
+-Forces an SSL/TLS protocol. Possible values are \fB''\fP,
+-\&'\fBSSL2\fP' (not supported on all systems),
+-\&'\fBSSL23\fP', (use of these two values is discouraged
+-and should only be used as a last resort) \&'\fBSSL3\fP', and
+-\&'\fBTLS1\fP'.  The default behaviour if this option is unset is: for
+-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
+-opportunistically try STARTTLS negotiation with TLS1. You can configure
+-this option explicitly if the default handshake (TLS1 if \-\-ssl is not
+-used) does not work for your server.
+-.IP
+-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
+-connection. In this mode, it is highly recommended to also use
+-\-\-sslcertck (see below).  Note that this will then cause fetchmail
+-v6.3.19 to force STARTTLS negotiation even if it is not advertised by
+-the server.
+-.IP
+-To defeat opportunistic TLSv1 negotiation when the server advertises
+-STARTTLS or STLS, and use a cleartext connection use \fB''\fP.  This
+-option, even if the argument is the empty string, will also suppress the
+-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
+-mode. The default is to try appropriate protocols depending on context.
++This option has a dual use, out of historic fetchmail behaviour. It
++controls both the SSL/TLS protocol version and, if \-\-ssl is not
++specified, the STARTTLS behaviour (upgrading the protocol to an SSL or
++TLS connection in-band). Some other options may however make TLS
++mandatory.
++.PP
++Only if this option and \-\-ssl are both missing for a poll, there will
++be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to
++upgrade to TLSv1 or newer.
++.PP
++Recognized values for \-\-sslproto are given below. You should normally
++chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of
++the options ending in a plus (\fB+\fP) character. Note that depending
++on OpenSSL library version and configuration, some options cause
++run-time errors because the requested SSL or TLS versions are not
++supported by the particular installed OpenSSL library.
++.RS
++.IP "\fB''\fP, the empty string"
++Disable STARTTLS. If \-\-ssl is given for the same server, log an error
++and pretend that '\fBauto\fP' had been used instead.
++.IP '\fBauto\fP'
++(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade.
++(fetchmail 6.3.26 and older have auto-negotiated all protocols that
++their OpenSSL library supported, including the broken SSLv3).
++.IP "\&'\fBSSL23\fP'
++see '\fBauto\fP'.
++.IP \&'\fBSSL3\fP'
++Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it
++if possible.  This will make fetchmail negotiate SSLv3 only, and is the
++only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
++.IP \&'\fBSSL3+\fP'
++same as '\fBauto\fP', but permit SSLv3 as well. This is the only way
++besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
++.IP \&'\fBTLS1\fP'
++Require TLSv1. This does not negotiate TLSv1.1 or newer, and is
++discouraged. Replace by TLS1+ unless the latter chokes your server.
++.IP \&'\fBTLS1+\fP'
++Since v6.4.0. See 'fBauto\fP'.
++.IP \&'\fBTLS1.1\fP'
++Since v6.4.0. Require TLS v1.1 exactly.
++.IP \&'\fBTLS1.1+\fP'
++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer.
++.IP \&'\fBTLS1.2\fP'
++Since v6.4.0. Require TLS v1.2 exactly.
++.IP '\fBTLS1.2+\fP'
++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer.
++.IP "Unrecognized parameters"
++are treated the same as '\fBauto\fP'.
++.RE
++.IP
++NOTE: you should hardly ever need to use anything other than '' (to
++force an unencrypted connection) or 'auto' (to enforce TLS).
+ .TP
+ .B \-\-sslcertck
+ (Keyword: sslcertck)
+ .br
+-Causes fetchmail to strictly check the server certificate against a set of
+-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
+-options). If the server certificate cannot be obtained or is not signed by one
+-of the trusted ones (directly or indirectly), the SSL connection will fail,
+-regardless of the \fBsslfingerprint\fP option.
++Causes fetchmail to require that SSL/TLS be used and disconnect if it
++can not successfully negotiate SSL or TLS, or if it cannot successfully
++verify and validate the certificate and follow it to a trust anchor (or
++trusted root certificate). The trust anchors are given as a set of local
++trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
++options). If the server certificate cannot be obtained or is not signed
++by one of the trusted ones (directly or indirectly), fetchmail will
++disconnect, regardless of the \fBsslfingerprint\fP option.
+ .IP
+ Note that CRL (certificate revocation lists) are only supported in
+ OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
+@@ -1202,31 +1235,33 @@ capability response. Specify a user opti
+ username and the part to the right as the NTLM domain.
+ 
+ .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS)
++.PP All retrieval protocols can use SSL or TLS wrapping for the
++transport. Additionally, POP3 and IMAP retrival can also negotiate
++SSL/TLS by means of STARTTLS (or STLS).
+ .PP
+ Note that fetchmail currently uses the OpenSSL library, which is
+ severely underdocumented, so failures may occur just because the
+ programmers are not aware of OpenSSL's requirement of the day.
+ For instance, since v6.3.16, fetchmail calls
+ OpenSSL_add_all_algorithms(), which is necessary to support certificates
+-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
+-documentation and not at all obvious.  Please do not hesitate to report
+-subtle SSL failures.
+-.PP
+-You can access SSL encrypted services by specifying the \-\-ssl option.
+-You can also do this using the "ssl" user option in the .fetchmailrc
+-file. With SSL encryption enabled, queries are initiated over a
+-connection after negotiating an SSL session, and the connection fails if
+-SSL cannot be negotiated.  Some services, such as POP3 and IMAP, have
++using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in
++the documentation and not at all obvious.  Please do not hesitate to
++report subtle SSL failures.
++.PP
++You can access SSL encrypted services by specifying the options starting
++with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others.
++You can also do this using the corresponding user options in the .fetchmailrc
++file.  Some services, such as POP3 and IMAP, have
+ different well known ports defined for the SSL encrypted services.  The
+ encrypted ports will be selected automatically when SSL is enabled and
+-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
+-used to select the SSLv3 protocol (default if unset: v2 or v3).  Also,
+-the \-\-sslcertck command line or sslcertck run control file option
+-should be used to force strict certificate checking - see below.
++no explicit port is specified.   Also, the \-\-sslcertck command line or
++sslcertck run control file option should be used to force strict
++certificate checking - see below.
+ .PP
+ If SSL is not configured, fetchmail will usually opportunistically try to use
+-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
+-connections use the same port as the unencrypted version of the
++STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and
++defeated by using \-\-sslproto\~''.
++TLS connections use the same port as the unencrypted version of the
+ protocol and negotiate TLS via special command. The \-\-sslcertck
+ command line or sslcertck run control file option should be used to
+ force strict certificate checking - see below.
+--- fetchmail-6.3.26.orig/imap.c
++++ fetchmail-6.3.26/imap.c
+@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
+ /* apply for connection authorization */
+ {
+     int ok = 0;
++    char *commonname;
++
+     (void)greeting;
+ 
+     /*
+@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct
+         return(PS_SUCCESS);
+     }
+ 
+-#ifdef SSL_ENABLE
+-    if (maybe_tls(ctl)) {
+-	char *commonname;
+-
+-	commonname = ctl->server.pollname;
+-	if (ctl->server.via)
+-	    commonname = ctl->server.via;
+-	if (ctl->sslcommonname)
+-	    commonname = ctl->sslcommonname;
++    commonname = ctl->server.pollname;
++    if (ctl->server.via)
++	commonname = ctl->server.via;
++    if (ctl->sslcommonname)
++	commonname = ctl->sslcommonname;
+ 
+-	if (strstr(capabilities, "STARTTLS")
+-		|| must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
++#ifdef SSL_ENABLE
++    if (maybe_starttls(ctl)) {
++	if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl))
++		|| must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
+ 	{
+-	    /* Use "tls1" rather than ctl->sslproto because tls1 is the only
+-	     * protocol that will work with STARTTLS.  Don't need to worry
+-	     * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+-	     * (see below). */
++	    /* Don't need to worry whether TLS is mandatory or
++	     * opportunistic unless SSLOpen() fails (see below). */
+ 	    if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
+-		    && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++		    && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
+ 			ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ 			ctl->server.pollname, &ctl->remotename)) != -1)
+ 	    {
+@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct
+ 		{
+ 		    report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
+ 		}
+-	    } else if (must_tls(ctl)) {
++	    } else if (must_starttls(ctl)) {
+ 		/* Config required TLS but we couldn't guarantee it, so we must
+ 		 * stop. */
+ 		set_timeout(0);
+@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct
+ 		/* Usable.  Proceed with authenticating insecurely. */
+ 	    }
+ 	}
++    } else {
++	if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) {
++	    report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname);
++	}
+     }
+ #endif /* SSL_ENABLE */
+ 
+--- fetchmail-6.3.26.orig/po/Makevars
++++ fetchmail-6.3.26/po/Makevars
+@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis
+ # This is the list of locale categories, beyond LC_MESSAGES, for which the
+ # message catalogs shall be used.  It is usually empty.
+ EXTRA_LOCALE_CATEGORIES =
++
++# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt'
++# context.  Possible values are "yes" and "no".  Set this to yes if the
++# package uses functions taking also a message context, like pgettext(), or
++# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument.
++USE_MSGCTXT = no
++
++# These options get passed to msgmerge.
++# Useful options are in particular:
++#   --previous            to keep previous msgids of translated messages,
++#   --quiet               to reduce the verbosity.
++MSGMERGE_OPTIONS =
+--- fetchmail-6.3.26.orig/pop3.c
++++ fetchmail-6.3.26/pop3.c
+@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
+ #endif /* OPIE_ENABLE */
+ #ifdef SSL_ENABLE
+     flag connection_may_have_tls_errors = FALSE;
++    char *commonname;
+ #endif /* SSL_ENABLE */
+ 
+     done_capa = FALSE;
+@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct
+ 		(ctl->server.authenticate == A_KERBEROS_V5) ||
+ 		(ctl->server.authenticate == A_OTP) ||
+ 		(ctl->server.authenticate == A_CRAM_MD5) ||
+-		maybe_tls(ctl))
++		maybe_starttls(ctl))
+ 	{
+ 	    if ((ok = capa_probe(sock)) != PS_SUCCESS)
+ 		/* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
+@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct
+ 		    (ok == PS_SOCKET && !ctl->wehaveauthed))
+ 		{
+ #ifdef SSL_ENABLE
+-		    if (must_tls(ctl)) {
++		    if (must_starttls(ctl)) {
+ 			/* fail with mandatory STLS without repoll */
+ 			report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
+ 			report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
+ 			return ok;
+-		    } else if (maybe_tls(ctl)) {
++		    } else if (maybe_starttls(ctl)) {
+ 			/* defeat opportunistic STLS */
+ 			xfree(ctl->sslproto);
+ 			ctl->sslproto = xstrdup("");
+@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct
+ 	}
+ 
+ #ifdef SSL_ENABLE
+-	if (maybe_tls(ctl)) {
+-	    char *commonname;
++	commonname = ctl->server.pollname;
++	if (ctl->server.via)
++	    commonname = ctl->server.via;
++	if (ctl->sslcommonname)
++	    commonname = ctl->sslcommonname;
+ 
+-	    commonname = ctl->server.pollname;
+-	    if (ctl->server.via)
+-		commonname = ctl->server.via;
+-	    if (ctl->sslcommonname)
+-		commonname = ctl->sslcommonname;
+-
+-	   if (has_stls
+-		   || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
++	if (maybe_starttls(ctl)) {
++	   if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
+ 	   {
+-	       /* Use "tls1" rather than ctl->sslproto because tls1 is the only
+-		* protocol that will work with STARTTLS.  Don't need to worry
+-		* whether TLS is mandatory or opportunistic unless SSLOpen() fails
+-		* (see below). */
++	       /* Don't need to worry whether TLS is mandatory or
++		* opportunistic unless SSLOpen() fails (see below). */
+ 	       if (gen_transact(sock, "STLS") == PS_SUCCESS
+-		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
+ 			   ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ 			   ctl->server.pollname, &ctl->remotename)) != -1)
+ 	       {
+@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct
+ 		   {
+ 		       report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
+ 		   }
+-	       } else if (must_tls(ctl)) {
++	       } else if (must_starttls(ctl)) {
+ 		   /* Config required TLS but we couldn't guarantee it, so we must
+ 		    * stop. */
+ 		   set_timeout(0);
+@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct
+ 		   }
+ 	       }
+ 	   }
+-	} /* maybe_tls() */
++	} else { /* maybe_starttls() */
++	    if (has_stls && outlevel >= O_VERBOSE) {
++		report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
++	    }
++	} /* maybe_starttls() */
+ #endif /* SSL_ENABLE */
+ 
+ 	/*
+--- fetchmail-6.3.26.orig/socket.c
++++ fetchmail-6.3.26/socket.c
+@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char
+ {
+         struct stat randstat;
+         int i;
++	int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ 	long sslopts = SSL_OP_ALL;
++	int ssle_connect = 0;
+ 
+ 	SSL_load_error_strings();
+ 	SSL_library_init();
+@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char
+ 	/* Make sure a connection referring to an older context is not left */
+ 	_ssl_context[sock] = NULL;
+ 	if(myproto) {
+-		if(!strcasecmp("ssl2",myproto)) {
+-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+-			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
++		if(!strcasecmp("ssl3",myproto)) {
++#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0)
++			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
++			avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
+ #else
+-			report(stderr, GT_("Your operating system does not support SSLv2.\n"));
++			report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
+ 			return -1;
+ #endif
+-		} else if(!strcasecmp("ssl3",myproto)) {
+-			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
++		} else if(!strcasecmp("ssl3+",myproto)) {
++			avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
++			myproto = NULL;
+ 		} else if(!strcasecmp("tls1",myproto)) {
+ 			_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
+-		} else if (!strcasecmp("ssl23",myproto)) {
++		} else if(!strcasecmp("tls1+",myproto)) {
++			myproto = NULL;
++#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION
++		} else if(!strcasecmp("tls1.1",myproto)) {
++			_ctx[sock] = SSL_CTX_new(TLSv1_1_client_method());
++		} else if(!strcasecmp("tls1.1+",myproto)) {
++			myproto = NULL;
++			avoid_ssl_versions |= SSL_OP_NO_TLSv1;
++#else
++		} else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) {
++			report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n"));
++			return -1;
++#endif
++#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION
++		} else if(!strcasecmp("tls1.2",myproto)) {
++			_ctx[sock] = SSL_CTX_new(TLSv1_2_client_method());
++		} else if(!strcasecmp("tls1.2+",myproto)) {
++			myproto = NULL;
++			avoid_ssl_versions |= SSL_OP_NO_TLSv1;
++			avoid_ssl_versions |= SSL_OP_NO_TLSv1_1;
++#else
++		} else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) {
++			report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n"));
++			return -1;
++#endif
++		} else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) {
+ 			myproto = NULL;
+ 		} else {
+-			report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
++			report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto);
+ 			myproto = NULL;
+ 		}
+ 	}
+-	if(!myproto) {
++	// do not combine into an else { } as myproto may be nulled
++	// above!
++	if (!myproto) {
++		// SSLv23 is a misnomer and will in fact use the best
++		// available protocol, subject to SSL_OP_NO*
++		// constraints.
+ 		_ctx[sock] = SSL_CTX_new(SSLv23_client_method());
+ 	}
+ 	if(_ctx[sock] == NULL) {
+@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char
+ 		sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ 	}
+ 
+-	SSL_CTX_set_options(_ctx[sock], sslopts);
++	SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions);
+ 
+ 	if (certck) {
+ 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
+@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char
+ 	}
+ 
+ 	if (SSL_set_fd(_ssl_context[sock], sock) == 0 
+-	    || SSL_connect(_ssl_context[sock]) < 1) {
++	    || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
++		int e = errno;
++		unsigned long ssle_err_from_queue = ERR_peek_error();
++		unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect);
+ 		ERR_print_errors_fp(stderr);
++		if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) {
++		    if (0 == ssle_connect) {
++			report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n"));
++		    } else if (ssle_connect < 0) {
++			report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e));
++		    }
++		}
+ 		SSL_free( _ssl_context[sock] );
+ 		_ssl_context[sock] = NULL;
+ 		SSL_CTX_free(_ctx[sock]);
+@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char
+ 		return(-1);
+ 	}
+ 
++	if (outlevel >= O_VERBOSE) {
++	    SSL_CIPHER const *sc;
++	    int bitsmax, bitsused;
++
++	    const char *ver;
++
++	    ver = SSL_get_version(_ssl_context[sock]);
++
++	    sc = SSL_get_current_cipher(_ssl_context[sock]);
++	    if (!sc) {
++		report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n"));
++	    } else {
++		bitsused = SSL_CIPHER_get_bits(sc, &bitsmax);
++		report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"),
++			ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax);
++	    }
++	}
++
+ 	/* Paranoia: was the callback not called as we expected? */
+ 	if (!_depth0ck) {
+ 		report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
+--- /dev/null
++++ fetchmail-6.3.26/starttls.c
+@@ -0,0 +1,37 @@
++/** \file tls.c - collect common TLS functionality 
++ * \author Matthias Andree
++ * \date 2006
++ */
++
++#include "fetchmail.h"
++
++#include <string.h>
++
++#ifdef HAVE_STRINGS_H
++#include <strings.h>
++#endif
++
++/** return true if user allowed opportunistic STARTTLS/STLS */
++int maybe_starttls(struct query *ctl) {
++#ifdef SSL_ENABLE
++         /* opportunistic  or forced TLS */
++    return (!ctl->sslproto || strlen(ctl->sslproto))
++	&& !ctl->use_ssl;
++#else
++    (void)ctl;
++    return 0;
++#endif
++}
++
++/** return true if user requires STARTTLS/STLS, note though that this
++ * code must always use a logical AND with maybe_tls(). */
++int must_starttls(struct query *ctl) {
++#ifdef SSL_ENABLE
++    return maybe_starttls(ctl)
++	&& (ctl->sslfingerprint || ctl->sslcertck
++		|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
++#else
++    (void)ctl;
++    return 0;
++#endif
++}
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb
index 1d78288c88..5af5d0df62 100644
--- a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb
+++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c"
 
 DEPENDS = "openssl"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \
+           file://02_remove_SSLv3.patch \
+           "
 SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3"
 SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850"
 
-- 
cgit 1.2.3-korg