Your message dated Sat, 23 Jun 2018 21:34:23 +0000
with message-id <e1fwqap-0003z3...@fasolo.debian.org>
and subject line Bug#768843: fixed in fetchmail 6.4.0~beta4-1
has caused the Debian Bug report #768843,
regarding fetchmail: Improved TLS support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
768843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768843
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fetchmail
Tags: patch

Hi,

The attached patch improves fethcmail SSL/TLS support.  It seems
to have some misunderstandings of openssl / SSL / TLS.

First, STARTTLS should work with both SSL and TLS, not just from
TLS 1.0.  The TLS in STARTTLS does not mean it's TLS only, TLS is
just a different name for SSL.

It also still seems to think only TLS 1.0 is supported while there
are more recent versions, and it encourages SSL3 because SSL2 is
broken.

I've also changed the way in which opportunistic TLS works a
little.  It seems to have only done this with TLS1 for the above
stated reasons which were wrong.

This patch results in the following changes with a server support
STARTTLS:
        | --ssl         | no option     | sslproto ssl23| sslproto tls1
Old:    | TLS 1.2       | TLS1.0        | not working   | TLS1.0
New:    | TLS 1.2       | TLS1.2        | TLS1.2        | TLS1.0

The "sslproto ssl23" case just send logout, I assume because
maybe_tls returns false.

This started by making the call to SSLv3_client_method() optional
in case openssl doesn't support it.


Kurt

Index: fetchmail-6.3.26/configure.ac
===================================================================
--- fetchmail-6.3.26.orig/configure.ac
+++ fetchmail-6.3.26/configure.ac
@@ -801,11 +801,6 @@ else
   AC_MSG_WARN(Consider re-running configure --with-ssl.)
 fi
 
-case "$LIBS" in *-lssl*)
-	AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
-	;;
-esac
-
 ###	use option --with-socks=DIR to point at SOCKS library
 AC_ARG_WITH(socks,
 	[  --with-socks[=DIR]      add built-in SOCKS firewall access],
Index: fetchmail-6.3.26/fetchmail-FAQ.html
===================================================================
--- fetchmail-6.3.26.orig/fetchmail-FAQ.html
+++ fetchmail-6.3.26/fetchmail-FAQ.html
@@ -2232,8 +2232,8 @@ negotiation, add this option:</p>
 
 <pre>sslproto ssl23</pre>
 
-<p>This restricts fetchmail's SSL/TLS protocol choice from the default
-"SSLv2, SSLv3, TLSv1" to the two SSL variants, disabling TLSv1. Note
+<p>This selects fetchmail's default SSL/TLS protocol choice that
+supports all SSL/TLS versions supported by the openssl library. Note
 however that this causes the connection to be unencrypted unless an
 encrypting &quot;plugin&quot; is used or SSL is requested explicitly.</p>
 
Index: fetchmail-6.3.26/fetchmail.man
===================================================================
--- fetchmail-6.3.26.orig/fetchmail.man
+++ fetchmail-6.3.26/fetchmail.man
@@ -413,16 +413,16 @@ from. The folder information is written
 (Keyword: ssl)
 .br
 Causes the connection to the mail server to be encrypted
-via SSL.  Connect to the server using the specified base protocol over a
-connection secured by SSL. This option defeats opportunistic starttls
-negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
-\-\-sslcertck to validate the certificates presented by the server and
-defeat the obsolete SSLv2 negotiation. More information is available in
-the \fIREADME.SSL\fP file that ships with fetchmail.
-.IP
-Note that fetchmail may still try to negotiate SSL through starttls even
-if this option is omitted. You can use the \-\-sslproto option to defeat
-this behavior or tell fetchmail to negotiate a particular SSL protocol.
+via SSL / TLS.  This option makes encryption mandatory and uses a dedicated
+port for SSL / TLS.
+It is highly recommended to use \-\-sslcertck to validate
+the certificates presented by the server. More information is available
+in the \fIREADME.SSL\fP file that ships with fetchmail.
+.IP
+Note that fetchmail may still try to opportunisticly negotiate SSL through
+starttls even if this option is omitted.
+You can use the \-\-sslproto option to defeat this behavior or tell fetchmail to
+negotiate a particular SSL protocol.
 .IP
 If no port is specified, the connection is attempted to the well known
 port of the SSL version of the base protocol.  This is generally a
@@ -473,27 +473,33 @@ Also see \-\-sslcert above.
 .B \-\-sslproto <name>
 (Keyword: sslproto)
 .br
-Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL2\fP' (not supported on all systems),
-\&'\fBSSL23\fP', (use of these two values is discouraged
-and should only be used as a last resort) \&'\fBSSL3\fP', and
-\&'\fBTLS1\fP'.  The default behaviour if this option is unset is: for
-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
-opportunistically try STARTTLS negotiation with TLS1. You can configure
-this option explicitly if the default handshake (TLS1 if \-\-ssl is not
-used) does not work for your server.
-.IP
-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
-connection. In this mode, it is highly recommended to also use
-\-\-sslcertck (see below).  Note that this will then cause fetchmail
-v6.3.19 to force STARTTLS negotiation even if it is not advertised by
-the server.
-.IP
-To defeat opportunistic TLSv1 negotiation when the server advertises
-STARTTLS or STLS, and use a cleartext connection use \fB''\fP.  This
-option, even if the argument is the empty string, will also suppress the
-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
-mode. The default is to try appropriate protocols depending on context.
+Forces an SSL/TLS protocol. Possible values are:
+.RS
+.IP \fB''\fP
+Disables to use of SSL / TLS and send things in clear text.  If \-\-ssl is also
+used it will use the default.
+.IP \&'\fBSSL2\fP'
+Uses SSL 2.  This is an insecure protocol.  It's not supported on all systems.
+.IP \&'\fBSSL23\fP'
+This will use the highest version suppored by both client and server and may
+include SSL 2, SSL 3, TLS 1.0, TLS 1.1 and TLS 1.2 if supported.  This is the
+recommended value.
+.IP \&'\fBSSL3\fP'
+Uses SSL 3.  This is an insecure protocol.  It's not supported on all systems.
+.IP \&'\fBTLS1\fP'
+Uses TLS 1.0.
+.RE
+.IP
+When this option is not set and the server indicates supports for STARTTLS
+or STLS fetchmail will opportunistically try to negotiation SSL / TLS with
+the \fBSSL23\fP value.  This can be disabled by using the \fB''\fP value.
+.IP
+When this option is set to something other than \fB''\fP it will make encryption
+mandatory using the selected protocol.  It's recommended to use the \fBSSL23\fP
+value.
+In this mode, it is highly recommended to also use \-\-sslcertck (see below).
+If \-\-ssl isn't used it will try to use STARTTLS / STLS even if the server doesn't
+indicate support for it.
 .TP
 .B \-\-sslcertck
 (Keyword: sslcertck)
@@ -1219,15 +1225,14 @@ connection after negotiating an SSL sess
 SSL cannot be negotiated.  Some services, such as POP3 and IMAP, have
 different well known ports defined for the SSL encrypted services.  The
 encrypted ports will be selected automatically when SSL is enabled and
-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
-used to select the SSLv3 protocol (default if unset: v2 or v3).  Also,
-the \-\-sslcertck command line or sslcertck run control file option
-should be used to force strict certificate checking - see below.
+no explicit port is specified. Also, the \-\-sslcertck command line or
+sslcertck run control file option should be used to force strict certificate
+checking - see below.
 .PP
 If SSL is not configured, fetchmail will usually opportunistically try to use
-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
-connections use the same port as the unencrypted version of the
-protocol and negotiate TLS via special command. The \-\-sslcertck
+STARTTLS. STARTTLS can be enforced by using \-\-sslproto. When using STARTTLS
+it uses the same port as the unencrypted version of the
+protocol and negotiate TLS via a special command. The \-\-sslcertck
 command line or sslcertck run control file option should be used to
 force strict certificate checking - see below.
 .PP
Index: fetchmail-6.3.26/imap.c
===================================================================
--- fetchmail-6.3.26.orig/imap.c
+++ fetchmail-6.3.26/imap.c
@@ -442,12 +442,10 @@ static int imap_getauth(int sock, struct
 	if (strstr(capabilities, "STARTTLS")
 		|| must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
 	{
-	    /* Use "tls1" rather than ctl->sslproto because tls1 is the only
-	     * protocol that will work with STARTTLS.  Don't need to worry
-	     * whether TLS is mandatory or opportunistic unless SSLOpen() fails
-	     * (see below). */
+	    /* Don't need to worry whether TLS is mandatory or opportunistic
+ 	     * unless SSLOpen() fails (see below). */
 	    if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
-		    && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+		    && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
 			ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
 			ctl->server.pollname, &ctl->remotename)) != -1)
 	    {
Index: fetchmail-6.3.26/pop3.c
===================================================================
--- fetchmail-6.3.26.orig/pop3.c
+++ fetchmail-6.3.26/pop3.c
@@ -443,12 +443,11 @@ static int pop3_getauth(int sock, struct
 	   if (has_stls
 		   || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
 	   {
-	       /* Use "tls1" rather than ctl->sslproto because tls1 is the only
-		* protocol that will work with STARTTLS.  Don't need to worry
-		* whether TLS is mandatory or opportunistic unless SSLOpen() fails
-		* (see below). */
+	       /* 
+		* Don't need to worry whether TLS is mandatory or opportunistic unless
+		* SSLOpen() fails (see below). */
 	       if (gen_transact(sock, "STLS") == PS_SUCCESS
-		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+		       && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
 			   ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
 			   ctl->server.pollname, &ctl->remotename)) != -1)
 	       {
Index: fetchmail-6.3.26/README.SSL
===================================================================
--- fetchmail-6.3.26.orig/README.SSL
+++ fetchmail-6.3.26/README.SSL
@@ -25,22 +25,26 @@ Quickstart
 For use of SSL or TLS with in-band negotiation on the regular service's port, 
 i. e. with STLS or STARTTLS, use these command line options
 
-    --sslproto tls1 --sslcertck
+    --sslproto ssl23 --sslcertck
 
 or these options in the rcfile (after the respective "user"... options)
 
-      sslproto tls1   sslcertck
+      sslproto ssl23   sslcertck
 
 
 For use of SSL or TLS on a separate port, if the whole TCP connection is 
 SSL-encrypted from the very beginning, use these command line options (in the 
 rcfile, omit all leading "--"):
 
-    --ssl --sslproto ssl3 --sslcertck
+    --ssl --sslcertck
 
 or these options in the rcfile (after the respective "user"... options)
 
-      ssl   sslproto ssl3   sslcertck
+      ssl   sslcertck
+
+By default it will do opportunistic encryption if the server announces it with
+STLS or STARTTLS but will not verify the certificate.  Using either --sslproto
+or --ssl will make the use of encryption mandatory.
 
 
 Background and use (long version :-))
Index: fetchmail-6.3.26/socket.c
===================================================================
--- fetchmail-6.3.26.orig/socket.c
+++ fetchmail-6.3.26/socket.c
@@ -907,14 +907,19 @@ int SSLOpen(int sock, char *mycert, char
 	_ssl_context[sock] = NULL;
 	if(myproto) {
 		if(!strcasecmp("ssl2",myproto)) {
-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+#ifndef OPENSSL_NO_SSL2
 			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
 #else
 			report(stderr, GT_("Your operating system does not support SSLv2.\n"));
 			return -1;
 #endif
+#ifndef OPENSSL_NO_SSL3
 		} else if(!strcasecmp("ssl3",myproto)) {
 			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
+#else
+			report(stderr, GT_("Your operating system does not support SSLv3.\n"));
+			return -1;
+#endif
 		} else if(!strcasecmp("tls1",myproto)) {
 			_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
 		} else if (!strcasecmp("ssl23",myproto)) {
Index: fetchmail-6.3.26/tls.c
===================================================================
--- fetchmail-6.3.26.orig/tls.c
+++ fetchmail-6.3.26/tls.c
@@ -9,12 +9,11 @@
 #include <strings.h>
 #endif
 
-/** return true if user allowed TLS */
+/** return true if user allows opportunistic TLS */
 int maybe_tls(struct query *ctl) {
 #ifdef SSL_ENABLE
-         /* opportunistic  or forced TLS */
-    return (!ctl->sslproto || !strcasecmp(ctl->sslproto,"tls1"))
-	&& !ctl->use_ssl;
+    /* opportunistic encryption is disabled with sslproto == "" */
+    return (!ctl->sslproto || strcmp(ctl->sslproto,"")) && !ctl->use_ssl;
 #else
     (void)ctl;
     return 0;
@@ -26,8 +25,7 @@ int maybe_tls(struct query *ctl) {
 int must_tls(struct query *ctl) {
 #ifdef SSL_ENABLE
     return maybe_tls(ctl)
-	&& (ctl->sslfingerprint || ctl->sslcertck
-		|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
+	&& (ctl->sslfingerprint || ctl->sslcertck || ctl->sslproto);
 #else
     (void)ctl;
     return 0;

--- End Message ---
--- Begin Message ---
Source: fetchmail
Source-Version: 6.4.0~beta4-1

We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated fetchmail 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 23 Jun 2018 15:52:22 +0000
Source: fetchmail
Binary: fetchmail fetchmailconf
Architecture: source amd64 all
Version: 6.4.0~beta4-1
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
 fetchmailconf - fetchmail configurator
Closes: 710319 752598 768843 895366
Changes:
 fetchmail (6.4.0~beta4-1) experimental; urgency=medium
 .
   * New major upstream beta release:
     - improved TLS support (closes: #768843).
   * Update watch file.
   * Disable Vcs-* fields for now.
   * Update debhelper level to 11:
     - remove dh-autoreconf build dependency,
     - remove autotools-dev build dependency,
     - don't specify parallel to debhelper,
     - specify restart-after-upgrade to dh_installinit .
   * Update Standards-Version to 4.1.4 .
 .
   [ Russell Coker <russ...@coker.com.au> ]
   * Run restorecon after creating directory from init script (closes: #752598).
 .
   [ Nicolas Boulenguez <nico...@debian.org> ]
   * Packaging updates (closes: #895366):
     - rename d/init to d/fetchmail.init, as recommended by policy,
     - give standard formatting to header of 01_fetchmailconf.patch ,
     - remove obsolete debian/pycompat ,
     - fix typo in manpage,
     - delegate installation of ppp and logcheck scripts to debhelper,
     - delegate manpages from dh_install to more specialized
       dh_installmanpages ,
     - install contrib files and resolvconf directly without intermediate copy
       in debian/tmp ,
     - switch copyright to format 1.0 and add some missing licenses.
     - delegate buggy installation of README.contrib to debhelper,
     - per policy 4.0.0, use invoke-rc.d instead of calling /etc/init.d/*
       directly,
     - rules: drop paragraphe preparing unused variable CONFFLAGS ,
     - rules: simplify some variable affectations,
     - delegate build flags stuff to dpkg-buildflags .
 .
   [ Kevin Ryde <user42_ke...@yahoo.com.au> ]
   * Let fetchmail-mode run hook after other settings (closes: #710319).
Checksums-Sha1:
 b89bcf11edbd584527322a7d9244403312ed207c 1956 fetchmail_6.4.0~beta4-1.dsc
 e14f67580aa3008ddd3caa12fd762721c609e030 1301620 
fetchmail_6.4.0~beta4.orig.tar.xz
 ee35b51f9ae59ff5c2abb843c5978c33006658d3 47308 
fetchmail_6.4.0~beta4-1.debian.tar.xz
 bab8c58a407d0e2c77bb4d8ba7285c39cb9a4fc6 319456 
fetchmail-dbgsym_6.4.0~beta4-1_amd64.deb
 2d53ff1c4b86734eaa568927d657de754c6dce1e 8294 
fetchmail_6.4.0~beta4-1_amd64.buildinfo
 d586649cca662539ae310948d663d60679165b15 636048 
fetchmail_6.4.0~beta4-1_amd64.deb
 e3a978e6f249a19d783b5189fffc96b2f75432b3 66792 
fetchmailconf_6.4.0~beta4-1_all.deb
Checksums-Sha256:
 ac7dc012583f7b1b1cb9431917f07cdf0f3c665d9ce3f096cc798eb76340cbeb 1956 
fetchmail_6.4.0~beta4-1.dsc
 c7500bed3b0bb85722f7cf2d980e74a879ac57b13cfd225d278179d671c0f5e8 1301620 
fetchmail_6.4.0~beta4.orig.tar.xz
 f53282e6937d6d558fd87421ba98b50b3b990d026cf41f6e9958c9ea3d62ef06 47308 
fetchmail_6.4.0~beta4-1.debian.tar.xz
 906d86c5e437ca6c640202c6d5c74c9d2f181179e8fee27a83b461b735b052ea 319456 
fetchmail-dbgsym_6.4.0~beta4-1_amd64.deb
 800af863886561ffdaec8ab6b5fac0831f8b159f8b6974c0122293439f095d32 8294 
fetchmail_6.4.0~beta4-1_amd64.buildinfo
 3eee1bef75436bb2685fe13a4cd3ca5ec8953f7044d81b73253e9c880f491127 636048 
fetchmail_6.4.0~beta4-1_amd64.deb
 5261f3e66000d5253b60015ead686816b8c59d4692deee770db8b81d57acfa73 66792 
fetchmailconf_6.4.0~beta4-1_all.deb
Files:
 3166d7ad4f842ba1b849463163728308 1956 mail optional fetchmail_6.4.0~beta4-1.dsc
 ef3b8603f7b8c5a5cebb7486bb3ef39a 1301620 mail optional 
fetchmail_6.4.0~beta4.orig.tar.xz
 5e3b2cb655316e9a07b1d6a365ee49d1 47308 mail optional 
fetchmail_6.4.0~beta4-1.debian.tar.xz
 78e5f43792f1fbaffa5df1d07b7220d2 319456 debug optional 
fetchmail-dbgsym_6.4.0~beta4-1_amd64.deb
 5f5554d37b57b49576aede7af55b6b98 8294 mail optional 
fetchmail_6.4.0~beta4-1_amd64.buildinfo
 6901e2f2ef65d1b8d070f7227b6ba7d0 636048 mail optional 
fetchmail_6.4.0~beta4-1_amd64.deb
 ebc4e0318346450fdc65c62689190006 66792 mail optional 
fetchmailconf_6.4.0~beta4-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlsutyIACgkQ3OMQ54ZM
yL+Tqg//ZQrFxXnNxeNMy+PJSpCjHo+h0U6EXYEpJIJJVQ9+akBA4HUBCZEIDPY/
9EhblHNB4fLXSzIHGx85mQh/05zo46HN478aNW8oGvQgyeY9ck2iM2C/DRp776/o
jCuks12oU4/DDp71akjm7qupnqOL8PbEVre3LjlWUFz1P1j105G64HSG/LCWl9Uj
PVqzOlF+FL8Gvm1+SWvrGiZr1NumlDDAEvgVy+YjgY4DMdsv7vAQ2kmeTtRX9F+4
eApg6kGm6/4W2HjUgWFRypcMTpWLwCPENIAPfaUEEl3GVS2FuWuJc4huzcGot5PP
QCW8R+ONpX0Rm4uKDUrVZr82TQP7gZZCHFU/AVJzcn0KJILkYSkSupFzGoiza+OD
uOesGXplxkuw6DlbrDL53MEEgaTs7NdtXL7FzBBRegLyfNIyCNHxvJ44SkuF53jc
sUgqTLdigTsJvRKx/jETJAj+xpURGvniWh6F78xCoW4JmK35O98WeQyzTrBBpDgH
eAIDDNGoJt7/J1+ceOfBi+KfeyJCZLu3DjG/kuDIcQESgrx0vPA3nB0x7odMJc3E
ERYdWJr2OwdhirHMJisCnFntMZbhf4I0V9wOjr88t2w+/iSGnlEb2SaZ7Xan7tog
IgmxdBzIig28XEynJ6XZbYBTQe3Hn06XYv5S0qe6gZEizxJmy50=
=XZZA
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to