aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZang Ruochen <zangrc.fnst@cn.fujitsu.com>2019-10-09 15:25:44 +0800
committerKhem Raj <raj.khem@gmail.com>2019-10-09 00:35:31 -0700
commit10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc (patch)
tree838fcfe8d75688b13f60a86061bc13c8a866ac2f
parenta705a7f19761a2fded62a86f66c4d010abcdcc65 (diff)
downloadmeta-openembedded-contrib-10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc.tar.gz
meta-openembedded-contrib-10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc.tar.bz2
meta-openembedded-contrib-10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc.zip
fetchmail: upgrade 6.3.26 -> 6.4.1
-License-Update: Copyright year updated to 2019. -fetchmail/02_remove_SSLv3.patch Removed since this is included in 6.4.1. Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r--meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch1576
-rw-r--r--meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb (renamed from meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb)7
2 files changed, 3 insertions, 1580 deletions
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
deleted file mode 100644
index 95cfa2f4a1..0000000000
--- a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
+++ /dev/null
@@ -1,1576 +0,0 @@
-Description: <short summary of the patch>
- TODO: Put a short summary on the line above and replace this paragraph
- with a longer explanation of this change. Complete the meta-information
- with other relevant fields (see below for details). To make it easier, the
- information below has been extracted from the changelog. Adjust it or drop
- it.
- .
- fetchmail (6.3.26-2) unstable; urgency=low
- .
- * New maintainer (closes: #800750).
- * Backport upstream fix for SSLv3 removal (closes: #804604) and do not
- recommend SSLv3 (closes: #801178).
- * Remove quilt and its usage.
- * Add dh-python to build depends.
- * Update upstream URLs.
- * Update watch file.
- * Update Standards-Version to 3.9.6 .
-Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
-Bug-Debian: https://bugs.debian.org/800750
-Bug-Debian: https://bugs.debian.org/801178
-Bug-Debian: https://bugs.debian.org/804604
-
----
-The information above should follow the Patch Tagging Guidelines, please
-checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
-are templates for supplementary fields that you might want to add:
-
-Origin: <vendor|upstream|other>, <url of original patch>
-Bug: <url in upstream bugtracker>
-Bug-Debian: https://bugs.debian.org/<bugnumber>
-Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
-Forwarded: <no|not-needed|url proving that it has been forwarded>
-Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: <YYYY-MM-DD>
-
---- fetchmail-6.3.26.orig/Makefile.am
-+++ fetchmail-6.3.26/Makefile.am
-@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8
- servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
- smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
- libesmtp/gethostbyname.h libesmtp/gethostbyname.c \
-- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \
-+ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
- xmalloc.h sdump.h sdump.c x509_name_match.c \
- fm_strl.h md5c.c
- if NTLM_ENABLE
---- fetchmail-6.3.26.orig/Makefile.in
-+++ fetchmail-6.3.26/Makefile.in
-@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
- rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
- smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
- libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
-- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
-+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
- x509_name_match.c fm_strl.h md5c.c ntlmsubr.c
- @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT)
- am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \
- rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \
- servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \
- smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \
-- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \
-+ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \
- sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \
- $(am__objects_1)
- libfm_a_OBJECTS = $(am_libfm_a_OBJECTS)
-@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc
- servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
- smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
- libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
-- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
-+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
- x509_name_match.c fm_strl.h md5c.c $(am__append_1)
- libfm_a_LIBADD = $(EXTRAOBJ)
- libfm_a_DEPENDENCIES = $(EXTRAOBJ)
---- fetchmail-6.3.26.orig/NEWS
-+++ fetchmail-6.3.26/NEWS
-@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.)
- * The --bsmtp - mode of operation may be removed in a future release.
- * Given that OpenSSL is severely underdocumented, and needs license exceptions,
- fetchmail may switch to a different SSL library.
--* SSLv2 support will be removed from a future fetchmail release. It has been
-- obsolete for more than a decade.
-
- --------------------------------------------------------------------------------
-
---- fetchmail-6.3.26.orig/README.SSL
-+++ fetchmail-6.3.26/README.SSL
-@@ -11,36 +11,45 @@ specific to fetchmail.
- In case of troubles, mail the README.SSL-SERVER file to your ISP and
- have them check their server configuration against it.
-
--Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether
--a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is
--totally SSL-wrapped on a separate port. For compatibility reasons, this cannot
--be fixed in a bugfix release.
-+Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
-+service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
-+or is totally SSL-wrapped on a separate port. For compatibility
-+reasons, this cannot be fixed in a bugfix or minor release.
-+
-+Also, fetchmail 6.4.0 and newer releases changed some of the semantics
-+as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
-+If your server does not support this, you may have to specify --sslproto
-+ssl3. This is in order to prefer the newer TLS protocols, because SSLv2
-+and v3 are broken.
-
-- -- Matthias Andree, 2009-05-09
-+ -- Matthias Andree, 2015-01-16
-
-
- Quickstart
- ----------
-
-+Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
-+TLSv1.2 support.
-+
- For use of SSL or TLS with in-band negotiation on the regular service's port,
- i. e. with STLS or STARTTLS, use these command line options
-
-- --sslproto tls1 --sslcertck
-+ --sslproto auto --sslcertck
-
- or these options in the rcfile (after the respective "user"... options)
-
-- sslproto tls1 sslcertck
-+ sslproto auto sslcertck
-
-
- For use of SSL or TLS on a separate port, if the whole TCP connection is
--SSL-encrypted from the very beginning, use these command line options (in the
--rcfile, omit all leading "--"):
-+SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
-+command line options (in the rcfile, omit all leading "--"):
-
-- --ssl --sslproto ssl3 --sslcertck
-+ --ssl --sslproto auto --sslcertck
-
- or these options in the rcfile (after the respective "user"... options)
-
-- ssl sslproto ssl3 sslcertck
-+ ssl sslproto auto sslcertck
-
-
- Background and use (long version :-))
---- fetchmail-6.3.26.orig/config.h.in
-+++ fetchmail-6.3.26/config.h.in
-@@ -49,9 +49,9 @@
- don't. */
- #undef HAVE_DECL_H_ERRNO
-
--/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0
-+/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0
- if you don't. */
--#undef HAVE_DECL_SSLV2_CLIENT_METHOD
-+#undef HAVE_DECL_SSLV3_CLIENT_METHOD
-
- /* Define to 1 if you have the declaration of `strerror', and to 0 if you
- don't. */
---- fetchmail-6.3.26.orig/configure
-+++ fetchmail-6.3.26/configure
-@@ -1,13 +1,11 @@
- #! /bin/sh
- # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26.
-+# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26.
- #
- # Report bugs to <fetchmail-users@lists.berlios.de>.
- #
- #
--# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
--# Foundation, Inc.
-+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
- #
- #
- # This configure script is free software; the Free Software Foundation
-@@ -136,6 +134,31 @@ export LANGUAGE
- # CDPATH.
- (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-+# Use a proper internal environment variable to ensure we don't fall
-+ # into an infinite loop, continuously re-executing ourselves.
-+ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
-+ _as_can_reexec=no; export _as_can_reexec;
-+ # We cannot yet assume a decent shell, so we have to provide a
-+# neutralization value for shells without unset; and this also
-+# works around shells that cannot unset nonexistent variables.
-+# Preserve -v and -x to the replacement shell.
-+BASH_ENV=/dev/null
-+ENV=/dev/null
-+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-+case $- in # ((((
-+ *v*x* | *x*v* ) as_opts=-vx ;;
-+ *v* ) as_opts=-v ;;
-+ *x* ) as_opts=-x ;;
-+ * ) as_opts= ;;
-+esac
-+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
-+# Admittedly, this is quite paranoid, since all the known shells bail
-+# out after a failed `exec'.
-+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
-+as_fn_exit 255
-+ fi
-+ # We don't want this to propagate to other subprocesses.
-+ { _as_can_reexec=; unset _as_can_reexec;}
- if test "x$CONFIG_SHELL" = x; then
- as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
-@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test
- else
- exitcode=1; echo positional parameters were not saved.
- fi
--test x\$exitcode = x0 || exit 1"
-+test x\$exitcode = x0 || exit 1
-+test -x / || exit 1"
- as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
- as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
- eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
-@@ -214,21 +238,25 @@ IFS=$as_save_IFS
-
-
- if test "x$CONFIG_SHELL" != x; then :
-- # We cannot yet assume a decent shell, so we have to provide a
-- # neutralization value for shells without unset; and this also
-- # works around shells that cannot unset nonexistent variables.
-- # Preserve -v and -x to the replacement shell.
-- BASH_ENV=/dev/null
-- ENV=/dev/null
-- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-- export CONFIG_SHELL
-- case $- in # ((((
-- *v*x* | *x*v* ) as_opts=-vx ;;
-- *v* ) as_opts=-v ;;
-- *x* ) as_opts=-x ;;
-- * ) as_opts= ;;
-- esac
-- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
-+ export CONFIG_SHELL
-+ # We cannot yet assume a decent shell, so we have to provide a
-+# neutralization value for shells without unset; and this also
-+# works around shells that cannot unset nonexistent variables.
-+# Preserve -v and -x to the replacement shell.
-+BASH_ENV=/dev/null
-+ENV=/dev/null
-+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
-+case $- in # ((((
-+ *v*x* | *x*v* ) as_opts=-vx ;;
-+ *v* ) as_opts=-v ;;
-+ *x* ) as_opts=-x ;;
-+ * ) as_opts= ;;
-+esac
-+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
-+# Admittedly, this is quite paranoid, since all the known shells bail
-+# out after a failed `exec'.
-+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
-+exit 255
- fi
-
- if test x$as_have_required = xno; then :
-@@ -331,6 +359,14 @@ $as_echo X"$as_dir" |
-
-
- } # as_fn_mkdir_p
-+
-+# as_fn_executable_p FILE
-+# -----------------------
-+# Test if FILE is an executable regular file.
-+as_fn_executable_p ()
-+{
-+ test -f "$1" && test -x "$1"
-+} # as_fn_executable_p
- # as_fn_append VAR VALUE
- # ----------------------
- # Append the text in VALUE to the end of the definition contained in VAR. Take
-@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
- chmod +x "$as_me.lineno" ||
- { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
-
-+ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
-+ # already done that, so ensure we don't try to do so again and fall
-+ # in an infinite loop. This has already happened in practice.
-+ _as_can_reexec=no; export _as_can_reexec
- # Don't try to exec as it changes $[0], causing all sort of problems
- # (the dirname of $[0] is not the place where we might find the
- # original and so on. Autoconf is especially sensitive to this).
-@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
- # ... but there are two gotchas:
- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-+ # In both cases, we have to default to `cp -pR'.
- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- elif ln conf$$.file conf$$ 2>/dev/null; then
- as_ln_s=ln
- else
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- fi
- else
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- fi
- rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
- rmdir conf$$.dir 2>/dev/null
-@@ -507,28 +547,8 @@ else
- as_mkdir_p=false
- fi
-
--if test -x / >/dev/null 2>&1; then
-- as_test_x='test -x'
--else
-- if ls -dL / >/dev/null 2>&1; then
-- as_ls_L_option=L
-- else
-- as_ls_L_option=
-- fi
-- as_test_x='
-- eval sh -c '\''
-- if test -d "$1"; then
-- test -d "$1/.";
-- else
-- case $1 in #(
-- -*)set "./$1";;
-- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-- ???[sx]*):;;*)false;;esac;fi
-- '\'' sh
-- '
--fi
--as_executable_p=$as_test_x
-+as_test_x='test -x'
-+as_executable_p=as_fn_executable_p
-
- # Sed expression to map a string onto a valid CPP name.
- as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-@@ -742,6 +762,7 @@ infodir
- docdir
- oldincludedir
- includedir
-+runstatedir
- localstatedir
- sharedstatedir
- sysconfdir
-@@ -841,6 +862,7 @@ datadir='${datarootdir}'
- sysconfdir='${prefix}/etc'
- sharedstatedir='${prefix}/com'
- localstatedir='${prefix}/var'
-+runstatedir='${localstatedir}/run'
- includedir='${prefix}/include'
- oldincludedir='/usr/include'
- docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
-@@ -1093,6 +1115,15 @@ do
- | -silent | --silent | --silen | --sile | --sil)
- silent=yes ;;
-
-+ -runstatedir | --runstatedir | --runstatedi | --runstated \
-+ | --runstate | --runstat | --runsta | --runst | --runs \
-+ | --run | --ru | --r)
-+ ac_prev=runstatedir ;;
-+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
-+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
-+ | --run=* | --ru=* | --r=*)
-+ runstatedir=$ac_optarg ;;
-+
- -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
- ac_prev=sbindir ;;
- -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
-@@ -1230,7 +1261,7 @@ fi
- for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
- datadir sysconfdir sharedstatedir localstatedir includedir \
- oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-- libdir localedir mandir
-+ libdir localedir mandir runstatedir
- do
- eval ac_val=\$$ac_var
- # Remove trailing slashes.
-@@ -1258,8 +1289,6 @@ target=$target_alias
- if test "x$host_alias" != x; then
- if test "x$build_alias" = x; then
- cross_compiling=maybe
-- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
-- If a cross compiler is detected then cross compile mode will be used" >&2
- elif test "x$build_alias" != "x$host_alias"; then
- cross_compiling=yes
- fi
-@@ -1385,6 +1414,7 @@ Fine tuning of the installation director
- --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
- --localstatedir=DIR modifiable single-machine data [PREFIX/var]
-+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
- --libdir=DIR object code libraries [EPREFIX/lib]
- --includedir=DIR C header files [PREFIX/include]
- --oldincludedir=DIR C header files for non-gcc [/usr/include]
-@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat
- if $ac_init_version; then
- cat <<\_ACEOF
- fetchmail configure 6.3.26
--generated by GNU Autoconf 2.68
-+generated by GNU Autoconf 2.69
-
--Copyright (C) 2010 Free Software Foundation, Inc.
-+Copyright (C) 2012 Free Software Foundation, Inc.
- This configure script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it.
- _ACEOF
-@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5
- test ! -s conftest.err
- } && test -s conftest$ac_exeext && {
- test "$cross_compiling" = yes ||
-- $as_test_x conftest$ac_exeext
-+ test -x conftest$ac_exeext
- }; then :
- ac_retval=0
- else
-@@ -2030,7 +2060,8 @@ int
- main ()
- {
- static int test_array [1 - 2 * !(($2) >= 0)];
--test_array [0] = 0
-+test_array [0] = 0;
-+return test_array [0];
-
- ;
- return 0;
-@@ -2046,7 +2077,8 @@ int
- main ()
- {
- static int test_array [1 - 2 * !(($2) <= $ac_mid)];
--test_array [0] = 0
-+test_array [0] = 0;
-+return test_array [0];
-
- ;
- return 0;
-@@ -2072,7 +2104,8 @@ int
- main ()
- {
- static int test_array [1 - 2 * !(($2) < 0)];
--test_array [0] = 0
-+test_array [0] = 0;
-+return test_array [0];
-
- ;
- return 0;
-@@ -2088,7 +2121,8 @@ int
- main ()
- {
- static int test_array [1 - 2 * !(($2) >= $ac_mid)];
--test_array [0] = 0
-+test_array [0] = 0;
-+return test_array [0];
-
- ;
- return 0;
-@@ -2122,7 +2156,8 @@ int
- main ()
- {
- static int test_array [1 - 2 * !(($2) <= $ac_mid)];
--test_array [0] = 0
-+test_array [0] = 0;
-+return test_array [0];
-
- ;
- return 0;
-@@ -2195,7 +2230,7 @@ This file contains any messages produced
- running configure, to aid debugging if configure makes a mistake.
-
- It was created by fetchmail $as_me 6.3.26, which was
--generated by GNU Autoconf 2.68. Invocation command line was
-+generated by GNU Autoconf 2.69. Invocation command line was
-
- $ $0 $@
-
-@@ -2689,7 +2724,7 @@ case $as_dir/ in #((
- # by default.
- for ac_prog in ginstall scoinst install; do
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
- if test $ac_prog = install &&
- grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
- # AIX install. It has an incompatible calling convention.
-@@ -2858,7 +2893,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_STRIP="${ac_tool_prefix}strip"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -2898,7 +2933,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_STRIP="strip"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -2949,7 +2984,7 @@ do
- test -z "$as_dir" && as_dir=.
- for ac_prog in mkdir gmkdir; do
- for ac_exec_ext in '' $ac_executable_extensions; do
-- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
-+ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
- case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
- 'mkdir (GNU coreutils) '* | \
- 'mkdir (coreutils) '* | \
-@@ -3002,7 +3037,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_AWK="$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3295,7 +3330,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3466,7 +3501,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_AWK="$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3512,7 +3547,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_CC="${ac_tool_prefix}gcc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3552,7 +3587,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_CC="gcc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3605,7 +3640,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_CC="${ac_tool_prefix}cc"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3646,7 +3681,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
- ac_prog_rejected=yes
- continue
-@@ -3704,7 +3739,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -3748,7 +3783,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_CC="$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
- /* end confdefs.h. */
- #include <stdarg.h>
- #include <stdio.h>
--#include <sys/types.h>
--#include <sys/stat.h>
-+struct stat;
- /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
- struct buf { int x; };
- FILE * (*rcsopen) (struct buf *, struct stat *, int);
-@@ -4751,7 +4785,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -4791,7 +4825,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_ac_ct_RANLIB="ranlib"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -4859,7 +4893,7 @@ do
- for ac_prog in grep ggrep; do
- for ac_exec_ext in '' $ac_executable_extensions; do
- ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-+ as_fn_executable_p "$ac_path_GREP" || continue
- # Check for GNU ac_path_GREP and select it if it is found.
- # Check for GNU $ac_path_GREP
- case `"$ac_path_GREP" --version 2>&1` in
-@@ -4925,7 +4959,7 @@ do
- for ac_prog in egrep; do
- for ac_exec_ext in '' $ac_executable_extensions; do
- ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-+ as_fn_executable_p "$ac_path_EGREP" || continue
- # Check for GNU ac_path_EGREP and select it if it is found.
- # Check for GNU $ac_path_EGREP
- case `"$ac_path_EGREP" --version 2>&1` in
-@@ -5132,8 +5166,8 @@ else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
--# define __EXTENSIONS__ 1
-- $ac_includes_default
-+# define __EXTENSIONS__ 1
-+ $ac_includes_default
- int
- main ()
- {
-@@ -5513,11 +5547,11 @@ else
- int
- main ()
- {
--/* FIXME: Include the comments suggested by Paul. */
-+
- #ifndef __cplusplus
-- /* Ultrix mips cc rejects this. */
-+ /* Ultrix mips cc rejects this sort of thing. */
- typedef int charset[2];
-- const charset cs;
-+ const charset cs = { 0, 0 };
- /* SunOS 4.1.1 cc rejects this. */
- char const *const *pcpcc;
- char **ppc;
-@@ -5534,8 +5568,9 @@ main ()
- ++pcpcc;
- ppc = (char**) pcpcc;
- pcpcc = (char const *const *) ppc;
-- { /* SCO 3.2v4 cc rejects this. */
-- char *t;
-+ { /* SCO 3.2v4 cc rejects this sort of thing. */
-+ char tx;
-+ char *t = &tx;
- char const *s = 0 ? (char *) 0 : (char const *) 0;
-
- *t++ = 0;
-@@ -5551,10 +5586,10 @@ main ()
- iptr p = 0;
- ++p;
- }
-- { /* AIX XL C 1.02.0.0 rejects this saying
-+ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
- "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
-- struct s { int j; const int *ap[3]; };
-- struct s *b; b->j = 5;
-+ struct s { int j; const int *ap[3]; } bx;
-+ struct s *b = &bx; b->j = 5;
- }
- { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
- const int foo = 10;
-@@ -5600,7 +5635,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_LEX="$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -5632,7 +5667,8 @@ a { ECHO; }
- b { REJECT; }
- c { yymore (); }
- d { yyless (1); }
--e { yyless (input () != 0); }
-+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */
-+ yyless ((input () != 0)); }
- f { unput (yytext[0]); }
- . { BEGIN INITIAL; }
- %%
-@@ -5792,7 +5828,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_prog_YACC="$ac_prog"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -6044,7 +6080,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -8548,7 +8584,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -8590,7 +8626,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -8632,7 +8668,7 @@ do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
-- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
-@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r
- fi
-
- case "$LIBS" in *-lssl*)
-- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h>
-+ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h>
- "
--if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then :
-+if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then :
- ac_have_decl=1
- else
- ac_have_decl=0
- fi
-
- cat >>confdefs.h <<_ACEOF
--#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl
-+#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl
- _ACEOF
-
- ;;
-@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then
- # ... but there are two gotchas:
- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-- # In both cases, we have to default to `cp -p'.
-+ # In both cases, we have to default to `cp -pR'.
- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- elif ln conf$$.file conf$$ 2>/dev/null; then
- as_ln_s=ln
- else
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- fi
- else
-- as_ln_s='cp -p'
-+ as_ln_s='cp -pR'
- fi
- rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
- rmdir conf$$.dir 2>/dev/null
-@@ -11403,28 +11439,16 @@ else
- as_mkdir_p=false
- fi
-
--if test -x / >/dev/null 2>&1; then
-- as_test_x='test -x'
--else
-- if ls -dL / >/dev/null 2>&1; then
-- as_ls_L_option=L
-- else
-- as_ls_L_option=
-- fi
-- as_test_x='
-- eval sh -c '\''
-- if test -d "$1"; then
-- test -d "$1/.";
-- else
-- case $1 in #(
-- -*)set "./$1";;
-- esac;
-- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
-- ???[sx]*):;;*)false;;esac;fi
-- '\'' sh
-- '
--fi
--as_executable_p=$as_test_x
-+
-+# as_fn_executable_p FILE
-+# -----------------------
-+# Test if FILE is an executable regular file.
-+as_fn_executable_p ()
-+{
-+ test -f "$1" && test -x "$1"
-+} # as_fn_executable_p
-+as_test_x='test -x'
-+as_executable_p=as_fn_executable_p
-
- # Sed expression to map a string onto a valid CPP name.
- as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
- # values after options handling.
- ac_log="
- This file was extended by fetchmail $as_me 6.3.26, which was
--generated by GNU Autoconf 2.68. Invocation command line was
-+generated by GNU Autoconf 2.69. Invocation command line was
-
- CONFIG_FILES = $CONFIG_FILES
- CONFIG_HEADERS = $CONFIG_HEADERS
-@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ
- ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
- ac_cs_version="\\
- fetchmail config.status 6.3.26
--configured by $0, generated by GNU Autoconf 2.68,
-+configured by $0, generated by GNU Autoconf 2.69,
- with options \\"\$ac_cs_config\\"
-
--Copyright (C) 2010 Free Software Foundation, Inc.
-+Copyright (C) 2012 Free Software Foundation, Inc.
- This config.status script is free software; the Free Software Foundation
- gives unlimited permission to copy, distribute and modify it."
-
-@@ -11606,7 +11630,7 @@ fi
- _ACEOF
- cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
- if \$ac_cs_recheck; then
-- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-+ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
- shift
- \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
- CONFIG_SHELL='$SHELL'
---- fetchmail-6.3.26.orig/configure.ac
-+++ fetchmail-6.3.26/configure.ac
-@@ -802,7 +802,7 @@ else
- fi
-
- case "$LIBS" in *-lssl*)
-- AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
-+ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
- ;;
- esac
-
---- fetchmail-6.3.26.orig/fetchmail-FAQ.html
-+++ fetchmail-6.3.26/fetchmail-FAQ.html
-@@ -667,8 +667,8 @@ because there is not currently a standar
- also uses this method, so the two will interoperate happily. They
- better, because this is how Craig gets his mail ;-)</p>
-
--<p>Finally, you can use <a href="#K5">SSL</a> for complete
--end-to-end encryption if you have an SSL-enabled mailserver.</p>
-+<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
-+end-to-end encryption if you have a TLS-enabled mailserver.</p>
-
- <h2><a id="G11" name="G11">G11. Is any special configuration needed
- to use a dynamic IP address?</a></h2>
-@@ -2120,7 +2120,7 @@ SSL?</a></h2>
-
- <p>You'll need to have the <a
- href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
--should at least be version 0.9.7.
-+should at least be version 0.9.8, with 1.0.1 preferred.
- Configure with --with-ssl. If you have the OpenSSL libraries
- installed in commonly-used default locations, this will
- suffice. If you have them installed in a non-default location,
-@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
- <p>Fetchmail binaries built this way support <code>ssl</code>,
- <code>sslkey</code>, and <code>sslcert</code> options that control
- SSL encryption, and will automatically use <code>tls</code> if the
--server offers it. You will need to have an SSL-enabled mailserver to
-+server offers it. You will need to have an SSL/TLS-enabled mailserver to
- use these options. See the manual page for details and some words
- of care on the limited security provided.</p>
-
-@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s
- protocol imap username MYUSERNAME password MYPASSWORD
- </pre>
-
--<p>You should note that SSL is only secure against a "man-in-the-middle"
--attack if the client is able to verify that the peer's public key is the
--correct one, and has not been substituted by an attacker. fetchmail can do
--this in one of two ways: by verifying the SSL certificate, or by checking
--the fingerprint of the peer's public key.</p>
-+<p>You should note that SSL or TLS are only secure against a
-+"man-in-the-middle" attack if the client is able to verify that the
-+peer's public key is the correct one, and has not been substituted by an
-+attacker. fetchmail can do this in one of two ways: by verifying the SSL
-+certificate, or by checking the fingerprint of the peer's public
-+key.</p>
-
--<p>There are three parts to SSL certificate verification: checking that the
-+<p>There are three parts to TLS certificate verification: checking that the
- domain name in the certificate matches the hostname you asked to connect to;
- checking that the certificate expiry date has not passed; and checking that
- the certificate has been signed by a known Certificate Authority (CA). This
-@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati
- time. This can however cause problems if the upstream didn't configure
- his certificates properly.</p>
-
--<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
--negotiation, add this option:</p>
-+<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
-+STLS or STARTTLS negotiation, add this option:</p>
-+<pre>sslproto ''</pre>
-+
-+<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
-+negotiation where the above does not work, try this option:</p>
-
- <pre>sslproto ssl23</pre>
-
-@@ -2876,15 +2881,22 @@ need to say something like '<code>envelo
-
- <pre>
- Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
-- by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
-- for &lt;ksturgeon@fbceg.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
-+ by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
-+ for &lt;ksturgeon@fbceg.example.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
- </pre>
-
--<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your
--mailserver before accepting 'ksturgeon@fbceg.org' as an envelope
-+<p>it checks to see if 'iserv.example.net' is a DNS alias of your
-+mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope
- address. This check might fail if your DNS were misconfigured, or
--if you were using 'no dns' and had failed to declare iserv.ttns.net
--as an alias of your server.</p>
-+if you were using 'no dns' and had failed to declare iserv.example.net
-+as an alias of your server. The typical hint is logging similar to:
-+<code>line rejected, iserv.example.net is not an alias of the mailserver</code>,
-+if you use fetchmail in verbose mode.</p>
-+
-+<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka
-+ <em>iserv.example.net</em></code> statements in the rcfile. Replace
-+<em>iserv.example.net</em> by the name you find in <strong>your</strong>
-+'by' part of the 'Received:' line.</p>
-
- <h2><a id="M8" name="M8">M8. Users are getting multiple copies of
- messages.</a></h2>
-@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p>
- <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my
- messages.</a></h2>
-
-+<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p>
-+
- <p>Due to the problem described in <a href="#S2">S2</a>, the
- IMAP support in fetchmail cannot follow the IMAP protocol 100&nbsp;%.
- Most of the time it doesn't matter, but if you combine it with an
-@@ -3279,8 +3293,6 @@ it at the end of the message it forwards
- on, you'll get a message about actual != expected.</li>
- </ol>
-
--<p>There is no fix for this.</p>
--
- <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header
- with Domino IMAP</a></h2>
-
---- fetchmail-6.3.26.orig/fetchmail.c
-+++ fetchmail-6.3.26/fetchmail.c
-@@ -54,6 +54,10 @@
- #define ENETUNREACH 128 /* Interactive doesn't know this */
- #endif /* ENETUNREACH */
-
-+#ifdef SSL_ENABLE
-+#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */
-+#endif
-+
- /* prototypes for internal functions */
- static int load_params(int, char **, int);
- static void dump_params (struct runctl *runp, struct query *, flag implicit);
-@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) {
- "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n"
- " Robert M. Funk, Graham Wilson\n"
- "Copyright (C) 2005 - 2012 Sunil Shetye\n"
-- "Copyright (C) 2005 - 2013 Matthias Andree\n"
-+ "Copyright (C) 2005 - 2015 Matthias Andree\n"
- ));
- fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n"
- "are welcome to redistribute it under certain conditions. For details,\n"
-@@ -262,6 +266,9 @@ int main(int argc, char **argv)
- #endif /* ODMR_ENABLE */
- #ifdef SSL_ENABLE
- "+SSL"
-+#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3)
-+ "-SSLv3"
-+#endif
- #endif
- #ifdef OPIE_ENABLE
- "+OPIE"
---- fetchmail-6.3.26.orig/fetchmail.h
-+++ fetchmail-6.3.26/fetchmail.h
-@@ -771,9 +771,9 @@ int servport(const char *service);
- int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
- void fm_freeaddrinfo(struct addrinfo *ai);
-
--/* prototypes from tls.c */
--int maybe_tls(struct query *ctl);
--int must_tls(struct query *ctl);
-+/* prototypes from starttls.c */
-+int maybe_starttls(struct query *ctl);
-+int must_starttls(struct query *ctl);
-
- /* prototype from rfc822valid.c */
- int rfc822_valid_msgid(const unsigned char *);
---- fetchmail-6.3.26.orig/fetchmail.man
-+++ fetchmail-6.3.26/fetchmail.man
-@@ -412,23 +412,22 @@ from. The folder information is written
- .B \-\-ssl
- (Keyword: ssl)
- .br
--Causes the connection to the mail server to be encrypted
--via SSL. Connect to the server using the specified base protocol over a
--connection secured by SSL. This option defeats opportunistic starttls
--negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
--\-\-sslcertck to validate the certificates presented by the server and
--defeat the obsolete SSLv2 negotiation. More information is available in
--the \fIREADME.SSL\fP file that ships with fetchmail.
--.IP
--Note that fetchmail may still try to negotiate SSL through starttls even
--if this option is omitted. You can use the \-\-sslproto option to defeat
--this behavior or tell fetchmail to negotiate a particular SSL protocol.
-+Causes the connection to the mail server to be encrypted via SSL, by
-+negotiating SSL directly after connecting (SSL-wrapped mode). It is
-+highly recommended to use \-\-sslcertck to validate the certificates
-+presented by the server. Please see the description of \-\-sslproto
-+below! More information is available in the \fIREADME.SSL\fP file that
-+ships with fetchmail.
-+.IP
-+Note that even if this option is omitted, fetchmail may still negotiate
-+SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You
-+can use the \-\-sslproto option to modify that behavior.
- .IP
- If no port is specified, the connection is attempted to the well known
- port of the SSL version of the base protocol. This is generally a
- different port than the port used by the base protocol. For IMAP, this
- is port 143 for the clear protocol and port 993 for the SSL secured
--protocol, for POP3, it is port 110 for the clear text and port 995 for
-+protocol; for POP3, it is port 110 for the clear text and port 995 for
- the encrypted variant.
- .IP
- If your system lacks the corresponding entries from /etc/services, see
-@@ -470,39 +469,73 @@ cause some complications in daemon mode.
- .IP
- Also see \-\-sslcert above.
- .TP
--.B \-\-sslproto <name>
--(Keyword: sslproto)
-+.B \-\-sslproto <value>
-+(Keyword: sslproto, NOTE: semantic changes since v6.4.0)
- .br
--Forces an SSL/TLS protocol. Possible values are \fB''\fP,
--\&'\fBSSL2\fP' (not supported on all systems),
--\&'\fBSSL23\fP', (use of these two values is discouraged
--and should only be used as a last resort) \&'\fBSSL3\fP', and
--\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
--connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
--opportunistically try STARTTLS negotiation with TLS1. You can configure
--this option explicitly if the default handshake (TLS1 if \-\-ssl is not
--used) does not work for your server.
--.IP
--Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
--connection. In this mode, it is highly recommended to also use
--\-\-sslcertck (see below). Note that this will then cause fetchmail
--v6.3.19 to force STARTTLS negotiation even if it is not advertised by
--the server.
--.IP
--To defeat opportunistic TLSv1 negotiation when the server advertises
--STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This
--option, even if the argument is the empty string, will also suppress the
--diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
--mode. The default is to try appropriate protocols depending on context.
-+This option has a dual use, out of historic fetchmail behaviour. It
-+controls both the SSL/TLS protocol version and, if \-\-ssl is not
-+specified, the STARTTLS behaviour (upgrading the protocol to an SSL or
-+TLS connection in-band). Some other options may however make TLS
-+mandatory.
-+.PP
-+Only if this option and \-\-ssl are both missing for a poll, there will
-+be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to
-+upgrade to TLSv1 or newer.
-+.PP
-+Recognized values for \-\-sslproto are given below. You should normally
-+chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of
-+the options ending in a plus (\fB+\fP) character. Note that depending
-+on OpenSSL library version and configuration, some options cause
-+run-time errors because the requested SSL or TLS versions are not
-+supported by the particular installed OpenSSL library.
-+.RS
-+.IP "\fB''\fP, the empty string"
-+Disable STARTTLS. If \-\-ssl is given for the same server, log an error
-+and pretend that '\fBauto\fP' had been used instead.
-+.IP '\fBauto\fP'
-+(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade.
-+(fetchmail 6.3.26 and older have auto-negotiated all protocols that
-+their OpenSSL library supported, including the broken SSLv3).
-+.IP "\&'\fBSSL23\fP'
-+see '\fBauto\fP'.
-+.IP \&'\fBSSL3\fP'
-+Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it
-+if possible. This will make fetchmail negotiate SSLv3 only, and is the
-+only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
-+.IP \&'\fBSSL3+\fP'
-+same as '\fBauto\fP', but permit SSLv3 as well. This is the only way
-+besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
-+.IP \&'\fBTLS1\fP'
-+Require TLSv1. This does not negotiate TLSv1.1 or newer, and is
-+discouraged. Replace by TLS1+ unless the latter chokes your server.
-+.IP \&'\fBTLS1+\fP'
-+Since v6.4.0. See 'fBauto\fP'.
-+.IP \&'\fBTLS1.1\fP'
-+Since v6.4.0. Require TLS v1.1 exactly.
-+.IP \&'\fBTLS1.1+\fP'
-+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer.
-+.IP \&'\fBTLS1.2\fP'
-+Since v6.4.0. Require TLS v1.2 exactly.
-+.IP '\fBTLS1.2+\fP'
-+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer.
-+.IP "Unrecognized parameters"
-+are treated the same as '\fBauto\fP'.
-+.RE
-+.IP
-+NOTE: you should hardly ever need to use anything other than '' (to
-+force an unencrypted connection) or 'auto' (to enforce TLS).
- .TP
- .B \-\-sslcertck
- (Keyword: sslcertck)
- .br
--Causes fetchmail to strictly check the server certificate against a set of
--local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
--options). If the server certificate cannot be obtained or is not signed by one
--of the trusted ones (directly or indirectly), the SSL connection will fail,
--regardless of the \fBsslfingerprint\fP option.
-+Causes fetchmail to require that SSL/TLS be used and disconnect if it
-+can not successfully negotiate SSL or TLS, or if it cannot successfully
-+verify and validate the certificate and follow it to a trust anchor (or
-+trusted root certificate). The trust anchors are given as a set of local
-+trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
-+options). If the server certificate cannot be obtained or is not signed
-+by one of the trusted ones (directly or indirectly), fetchmail will
-+disconnect, regardless of the \fBsslfingerprint\fP option.
- .IP
- Note that CRL (certificate revocation lists) are only supported in
- OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
-@@ -1202,31 +1235,33 @@ capability response. Specify a user opti
- username and the part to the right as the NTLM domain.
-
- .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS)
-+.PP All retrieval protocols can use SSL or TLS wrapping for the
-+transport. Additionally, POP3 and IMAP retrival can also negotiate
-+SSL/TLS by means of STARTTLS (or STLS).
- .PP
- Note that fetchmail currently uses the OpenSSL library, which is
- severely underdocumented, so failures may occur just because the
- programmers are not aware of OpenSSL's requirement of the day.
- For instance, since v6.3.16, fetchmail calls
- OpenSSL_add_all_algorithms(), which is necessary to support certificates
--using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
--documentation and not at all obvious. Please do not hesitate to report
--subtle SSL failures.
--.PP
--You can access SSL encrypted services by specifying the \-\-ssl option.
--You can also do this using the "ssl" user option in the .fetchmailrc
--file. With SSL encryption enabled, queries are initiated over a
--connection after negotiating an SSL session, and the connection fails if
--SSL cannot be negotiated. Some services, such as POP3 and IMAP, have
-+using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in
-+the documentation and not at all obvious. Please do not hesitate to
-+report subtle SSL failures.
-+.PP
-+You can access SSL encrypted services by specifying the options starting
-+with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others.
-+You can also do this using the corresponding user options in the .fetchmailrc
-+file. Some services, such as POP3 and IMAP, have
- different well known ports defined for the SSL encrypted services. The
- encrypted ports will be selected automatically when SSL is enabled and
--no explicit port is specified. The \-\-sslproto 'SSL3' option should be
--used to select the SSLv3 protocol (default if unset: v2 or v3). Also,
--the \-\-sslcertck command line or sslcertck run control file option
--should be used to force strict certificate checking - see below.
-+no explicit port is specified. Also, the \-\-sslcertck command line or
-+sslcertck run control file option should be used to force strict
-+certificate checking - see below.
- .PP
- If SSL is not configured, fetchmail will usually opportunistically try to use
--STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
--connections use the same port as the unencrypted version of the
-+STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and
-+defeated by using \-\-sslproto\~''.
-+TLS connections use the same port as the unencrypted version of the
- protocol and negotiate TLS via special command. The \-\-sslcertck
- command line or sslcertck run control file option should be used to
- force strict certificate checking - see below.
---- fetchmail-6.3.26.orig/imap.c
-+++ fetchmail-6.3.26/imap.c
-@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
- /* apply for connection authorization */
- {
- int ok = 0;
-+ char *commonname;
-+
- (void)greeting;
-
- /*
-@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct
- return(PS_SUCCESS);
- }
-
--#ifdef SSL_ENABLE
-- if (maybe_tls(ctl)) {
-- char *commonname;
--
-- commonname = ctl->server.pollname;
-- if (ctl->server.via)
-- commonname = ctl->server.via;
-- if (ctl->sslcommonname)
-- commonname = ctl->sslcommonname;
-+ commonname = ctl->server.pollname;
-+ if (ctl->server.via)
-+ commonname = ctl->server.via;
-+ if (ctl->sslcommonname)
-+ commonname = ctl->sslcommonname;
-
-- if (strstr(capabilities, "STARTTLS")
-- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
-+#ifdef SSL_ENABLE
-+ if (maybe_starttls(ctl)) {
-+ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl))
-+ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
- {
-- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
-- * protocol that will work with STARTTLS. Don't need to worry
-- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
-- * (see below). */
-+ /* Don't need to worry whether TLS is mandatory or
-+ * opportunistic unless SSLOpen() fails (see below). */
- if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
-- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
-+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
- ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
- ctl->server.pollname, &ctl->remotename)) != -1)
- {
-@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct
- {
- report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
- }
-- } else if (must_tls(ctl)) {
-+ } else if (must_starttls(ctl)) {
- /* Config required TLS but we couldn't guarantee it, so we must
- * stop. */
- set_timeout(0);
-@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct
- /* Usable. Proceed with authenticating insecurely. */
- }
- }
-+ } else {
-+ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) {
-+ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname);
-+ }
- }
- #endif /* SSL_ENABLE */
-
---- fetchmail-6.3.26.orig/po/Makevars
-+++ fetchmail-6.3.26/po/Makevars
-@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis
- # This is the list of locale categories, beyond LC_MESSAGES, for which the
- # message catalogs shall be used. It is usually empty.
- EXTRA_LOCALE_CATEGORIES =
-+
-+# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt'
-+# context. Possible values are "yes" and "no". Set this to yes if the
-+# package uses functions taking also a message context, like pgettext(), or
-+# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument.
-+USE_MSGCTXT = no
-+
-+# These options get passed to msgmerge.
-+# Useful options are in particular:
-+# --previous to keep previous msgids of translated messages,
-+# --quiet to reduce the verbosity.
-+MSGMERGE_OPTIONS =
---- fetchmail-6.3.26.orig/pop3.c
-+++ fetchmail-6.3.26/pop3.c
-@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
- #endif /* OPIE_ENABLE */
- #ifdef SSL_ENABLE
- flag connection_may_have_tls_errors = FALSE;
-+ char *commonname;
- #endif /* SSL_ENABLE */
-
- done_capa = FALSE;
-@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct
- (ctl->server.authenticate == A_KERBEROS_V5) ||
- (ctl->server.authenticate == A_OTP) ||
- (ctl->server.authenticate == A_CRAM_MD5) ||
-- maybe_tls(ctl))
-+ maybe_starttls(ctl))
- {
- if ((ok = capa_probe(sock)) != PS_SUCCESS)
- /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
-@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct
- (ok == PS_SOCKET && !ctl->wehaveauthed))
- {
- #ifdef SSL_ENABLE
-- if (must_tls(ctl)) {
-+ if (must_starttls(ctl)) {
- /* fail with mandatory STLS without repoll */
- report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
- report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
- return ok;
-- } else if (maybe_tls(ctl)) {
-+ } else if (maybe_starttls(ctl)) {
- /* defeat opportunistic STLS */
- xfree(ctl->sslproto);
- ctl->sslproto = xstrdup("");
-@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct
- }
-
- #ifdef SSL_ENABLE
-- if (maybe_tls(ctl)) {
-- char *commonname;
-+ commonname = ctl->server.pollname;
-+ if (ctl->server.via)
-+ commonname = ctl->server.via;
-+ if (ctl->sslcommonname)
-+ commonname = ctl->sslcommonname;
-
-- commonname = ctl->server.pollname;
-- if (ctl->server.via)
-- commonname = ctl->server.via;
-- if (ctl->sslcommonname)
-- commonname = ctl->sslcommonname;
--
-- if (has_stls
-- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
-+ if (maybe_starttls(ctl)) {
-+ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
- {
-- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
-- * protocol that will work with STARTTLS. Don't need to worry
-- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
-- * (see below). */
-+ /* Don't need to worry whether TLS is mandatory or
-+ * opportunistic unless SSLOpen() fails (see below). */
- if (gen_transact(sock, "STLS") == PS_SUCCESS
-- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
-+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
- ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
- ctl->server.pollname, &ctl->remotename)) != -1)
- {
-@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct
- {
- report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
- }
-- } else if (must_tls(ctl)) {
-+ } else if (must_starttls(ctl)) {
- /* Config required TLS but we couldn't guarantee it, so we must
- * stop. */
- set_timeout(0);
-@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct
- }
- }
- }
-- } /* maybe_tls() */
-+ } else { /* maybe_starttls() */
-+ if (has_stls && outlevel >= O_VERBOSE) {
-+ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
-+ }
-+ } /* maybe_starttls() */
- #endif /* SSL_ENABLE */
-
- /*
---- fetchmail-6.3.26.orig/socket.c
-+++ fetchmail-6.3.26/socket.c
-@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char
- {
- struct stat randstat;
- int i;
-+ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- long sslopts = SSL_OP_ALL;
-+ int ssle_connect = 0;
-
- SSL_load_error_strings();
- SSL_library_init();
-@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char
- /* Make sure a connection referring to an older context is not left */
- _ssl_context[sock] = NULL;
- if(myproto) {
-- if(!strcasecmp("ssl2",myproto)) {
--#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
-- _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
-+ if(!strcasecmp("ssl3",myproto)) {
-+#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0)
-+ _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
-+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
- #else
-- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
-+ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
- return -1;
- #endif
-- } else if(!strcasecmp("ssl3",myproto)) {
-- _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
-+ } else if(!strcasecmp("ssl3+",myproto)) {
-+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
-+ myproto = NULL;
- } else if(!strcasecmp("tls1",myproto)) {
- _ctx[sock] = SSL_CTX_new(TLSv1_client_method());
-- } else if (!strcasecmp("ssl23",myproto)) {
-+ } else if(!strcasecmp("tls1+",myproto)) {
-+ myproto = NULL;
-+#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION
-+ } else if(!strcasecmp("tls1.1",myproto)) {
-+ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method());
-+ } else if(!strcasecmp("tls1.1+",myproto)) {
-+ myproto = NULL;
-+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
-+#else
-+ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) {
-+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n"));
-+ return -1;
-+#endif
-+#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION
-+ } else if(!strcasecmp("tls1.2",myproto)) {
-+ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method());
-+ } else if(!strcasecmp("tls1.2+",myproto)) {
-+ myproto = NULL;
-+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
-+ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1;
-+#else
-+ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) {
-+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n"));
-+ return -1;
-+#endif
-+ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) {
- myproto = NULL;
- } else {
-- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
-+ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto);
- myproto = NULL;
- }
- }
-- if(!myproto) {
-+ // do not combine into an else { } as myproto may be nulled
-+ // above!
-+ if (!myproto) {
-+ // SSLv23 is a misnomer and will in fact use the best
-+ // available protocol, subject to SSL_OP_NO*
-+ // constraints.
- _ctx[sock] = SSL_CTX_new(SSLv23_client_method());
- }
- if(_ctx[sock] == NULL) {
-@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char
- sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
- }
-
-- SSL_CTX_set_options(_ctx[sock], sslopts);
-+ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions);
-
- if (certck) {
- SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
-@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char
- }
-
- if (SSL_set_fd(_ssl_context[sock], sock) == 0
-- || SSL_connect(_ssl_context[sock]) < 1) {
-+ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
-+ int e = errno;
-+ unsigned long ssle_err_from_queue = ERR_peek_error();
-+ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect);
- ERR_print_errors_fp(stderr);
-+ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) {
-+ if (0 == ssle_connect) {
-+ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n"));
-+ } else if (ssle_connect < 0) {
-+ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e));
-+ }
-+ }
- SSL_free( _ssl_context[sock] );
- _ssl_context[sock] = NULL;
- SSL_CTX_free(_ctx[sock]);
-@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char
- return(-1);
- }
-
-+ if (outlevel >= O_VERBOSE) {
-+ SSL_CIPHER const *sc;
-+ int bitsmax, bitsused;
-+
-+ const char *ver;
-+
-+ ver = SSL_get_version(_ssl_context[sock]);
-+
-+ sc = SSL_get_current_cipher(_ssl_context[sock]);
-+ if (!sc) {
-+ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n"));
-+ } else {
-+ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax);
-+ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"),
-+ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax);
-+ }
-+ }
-+
- /* Paranoia: was the callback not called as we expected? */
- if (!_depth0ck) {
- report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
---- /dev/null
-+++ fetchmail-6.3.26/starttls.c
-@@ -0,0 +1,37 @@
-+/** \file tls.c - collect common TLS functionality
-+ * \author Matthias Andree
-+ * \date 2006
-+ */
-+
-+#include "fetchmail.h"
-+
-+#include <string.h>
-+
-+#ifdef HAVE_STRINGS_H
-+#include <strings.h>
-+#endif
-+
-+/** return true if user allowed opportunistic STARTTLS/STLS */
-+int maybe_starttls(struct query *ctl) {
-+#ifdef SSL_ENABLE
-+ /* opportunistic or forced TLS */
-+ return (!ctl->sslproto || strlen(ctl->sslproto))
-+ && !ctl->use_ssl;
-+#else
-+ (void)ctl;
-+ return 0;
-+#endif
-+}
-+
-+/** return true if user requires STARTTLS/STLS, note though that this
-+ * code must always use a logical AND with maybe_tls(). */
-+int must_starttls(struct query *ctl) {
-+#ifdef SSL_ENABLE
-+ return maybe_starttls(ctl)
-+ && (ctl->sslfingerprint || ctl->sslcertck
-+ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
-+#else
-+ (void)ctl;
-+ return 0;
-+#endif
-+}
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb
index 5af5d0df62..21caa918a6 100644
--- a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb
+++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb
@@ -3,15 +3,14 @@ HOMEPAGE = "http://www.fetchmail.info/"
DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC."
SECTION = "mail"
LICENSE = "GPLv2 & MIT"
-LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ca53985c1fd053ae0bffffaa89ed49f1"
DEPENDS = "openssl"
SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \
- file://02_remove_SSLv3.patch \
"
-SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3"
-SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850"
+SRC_URI[md5sum] = "c2b836a919cdd4ec53b06b70e0aa3e63"
+SRC_URI[sha256sum] = "3f33f11dd08c3e8cc3e9d18eec686b1626d4818f4d5a72791507bbc4dce6a9a0"
inherit autotools gettext python-dir pythonnative