summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZang Ruochen <zangrc.fnst@cn.fujitsu.com>2019-10-09 15:25:44 +0800
committerKhem Raj <raj.khem@gmail.com>2019-10-09 00:35:31 -0700
commit10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc (patch)
tree838fcfe8d75688b13f60a86061bc13c8a866ac2f
parenta705a7f19761a2fded62a86f66c4d010abcdcc65 (diff)
downloadmeta-openembedded-10bba9fe7daf36e9d952821a4ad0837ec3a2f5bc.tar.gz
fetchmail: upgrade 6.3.26 -> 6.4.1
-License-Update: Copyright year updated to 2019. -fetchmail/02_remove_SSLv3.patch Removed since this is included in 6.4.1. Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat
-rw-r--r--meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch1576
-rw-r--r--meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb (renamed from meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb)7
2 files changed, 3 insertions, 1580 deletions
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
deleted file mode 100644
index 95cfa2f4a1..0000000000
--- a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch
+++ /dev/null
@@ -1,1576 +0,0 @@
1Description: <short summary of the patch>
2 TODO: Put a short summary on the line above and replace this paragraph
3 with a longer explanation of this change. Complete the meta-information
4 with other relevant fields (see below for details). To make it easier, the
5 information below has been extracted from the changelog. Adjust it or drop
6 it.
7 .
8 fetchmail (6.3.26-2) unstable; urgency=low
9 .
10 * New maintainer (closes: #800750).
11 * Backport upstream fix for SSLv3 removal (closes: #804604) and do not
12 recommend SSLv3 (closes: #801178).
13 * Remove quilt and its usage.
14 * Add dh-python to build depends.
15 * Update upstream URLs.
16 * Update watch file.
17 * Update Standards-Version to 3.9.6 .
18Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
19Bug-Debian: https://bugs.debian.org/800750
20Bug-Debian: https://bugs.debian.org/801178
21Bug-Debian: https://bugs.debian.org/804604
22
23---
24The information above should follow the Patch Tagging Guidelines, please
25checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
26are templates for supplementary fields that you might want to add:
27
28Origin: <vendor|upstream|other>, <url of original patch>
29Bug: <url in upstream bugtracker>
30Bug-Debian: https://bugs.debian.org/<bugnumber>
31Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
32Forwarded: <no|not-needed|url proving that it has been forwarded>
33Reviewed-By: <name and email of someone who approved the patch>
34Last-Update: <YYYY-MM-DD>
35
36--- fetchmail-6.3.26.orig/Makefile.am
37+++ fetchmail-6.3.26/Makefile.am
38@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8
39 servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
40 smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
41 libesmtp/gethostbyname.h libesmtp/gethostbyname.c \
42- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \
43+ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
44 xmalloc.h sdump.h sdump.c x509_name_match.c \
45 fm_strl.h md5c.c
46 if NTLM_ENABLE
47--- fetchmail-6.3.26.orig/Makefile.in
48+++ fetchmail-6.3.26/Makefile.in
49@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
50 rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
51 smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
52 libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
53- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
54+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
55 x509_name_match.c fm_strl.h md5c.c ntlmsubr.c
56 @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT)
57 am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \
58 rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \
59 servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \
60 smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \
61- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \
62+ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \
63 sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \
64 $(am__objects_1)
65 libfm_a_OBJECTS = $(am_libfm_a_OBJECTS)
66@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc
67 servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
68 smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
69 libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
70- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
71+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
72 x509_name_match.c fm_strl.h md5c.c $(am__append_1)
73 libfm_a_LIBADD = $(EXTRAOBJ)
74 libfm_a_DEPENDENCIES = $(EXTRAOBJ)
75--- fetchmail-6.3.26.orig/NEWS
76+++ fetchmail-6.3.26/NEWS
77@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.)
78 * The --bsmtp - mode of operation may be removed in a future release.
79 * Given that OpenSSL is severely underdocumented, and needs license exceptions,
80 fetchmail may switch to a different SSL library.
81-* SSLv2 support will be removed from a future fetchmail release. It has been
82- obsolete for more than a decade.
83
84 --------------------------------------------------------------------------------
85
86--- fetchmail-6.3.26.orig/README.SSL
87+++ fetchmail-6.3.26/README.SSL
88@@ -11,36 +11,45 @@ specific to fetchmail.
89 In case of troubles, mail the README.SSL-SERVER file to your ISP and
90 have them check their server configuration against it.
91
92-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether
93-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is
94-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot
95-be fixed in a bugfix release.
96+Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
97+service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
98+or is totally SSL-wrapped on a separate port. For compatibility
99+reasons, this cannot be fixed in a bugfix or minor release.
100+
101+Also, fetchmail 6.4.0 and newer releases changed some of the semantics
102+as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
103+If your server does not support this, you may have to specify --sslproto
104+ssl3. This is in order to prefer the newer TLS protocols, because SSLv2
105+and v3 are broken.
106
107- -- Matthias Andree, 2009-05-09
108+ -- Matthias Andree, 2015-01-16
109
110
111 Quickstart
112 ----------
113
114+Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
115+TLSv1.2 support.
116+
117 For use of SSL or TLS with in-band negotiation on the regular service's port,
118 i. e. with STLS or STARTTLS, use these command line options
119
120- --sslproto tls1 --sslcertck
121+ --sslproto auto --sslcertck
122
123 or these options in the rcfile (after the respective "user"... options)
124
125- sslproto tls1 sslcertck
126+ sslproto auto sslcertck
127
128
129 For use of SSL or TLS on a separate port, if the whole TCP connection is
130-SSL-encrypted from the very beginning, use these command line options (in the
131-rcfile, omit all leading "--"):
132+SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
133+command line options (in the rcfile, omit all leading "--"):
134
135- --ssl --sslproto ssl3 --sslcertck
136+ --ssl --sslproto auto --sslcertck
137
138 or these options in the rcfile (after the respective "user"... options)
139
140- ssl sslproto ssl3 sslcertck
141+ ssl sslproto auto sslcertck
142
143
144 Background and use (long version :-))
145--- fetchmail-6.3.26.orig/config.h.in
146+++ fetchmail-6.3.26/config.h.in
147@@ -49,9 +49,9 @@
148 don't. */
149 #undef HAVE_DECL_H_ERRNO
150
151-/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0
152+/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0
153 if you don't. */
154-#undef HAVE_DECL_SSLV2_CLIENT_METHOD
155+#undef HAVE_DECL_SSLV3_CLIENT_METHOD
156
157 /* Define to 1 if you have the declaration of `strerror', and to 0 if you
158 don't. */
159--- fetchmail-6.3.26.orig/configure
160+++ fetchmail-6.3.26/configure
161@@ -1,13 +1,11 @@
162 #! /bin/sh
163 # Guess values for system-dependent variables and create Makefiles.
164-# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26.
165+# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26.
166 #
167 # Report bugs to <fetchmail-users@lists.berlios.de>.
168 #
169 #
170-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
171-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
172-# Foundation, Inc.
173+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
174 #
175 #
176 # This configure script is free software; the Free Software Foundation
177@@ -136,6 +134,31 @@ export LANGUAGE
178 # CDPATH.
179 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
180
181+# Use a proper internal environment variable to ensure we don't fall
182+ # into an infinite loop, continuously re-executing ourselves.
183+ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
184+ _as_can_reexec=no; export _as_can_reexec;
185+ # We cannot yet assume a decent shell, so we have to provide a
186+# neutralization value for shells without unset; and this also
187+# works around shells that cannot unset nonexistent variables.
188+# Preserve -v and -x to the replacement shell.
189+BASH_ENV=/dev/null
190+ENV=/dev/null
191+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
192+case $- in # ((((
193+ *v*x* | *x*v* ) as_opts=-vx ;;
194+ *v* ) as_opts=-v ;;
195+ *x* ) as_opts=-x ;;
196+ * ) as_opts= ;;
197+esac
198+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
199+# Admittedly, this is quite paranoid, since all the known shells bail
200+# out after a failed `exec'.
201+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
202+as_fn_exit 255
203+ fi
204+ # We don't want this to propagate to other subprocesses.
205+ { _as_can_reexec=; unset _as_can_reexec;}
206 if test "x$CONFIG_SHELL" = x; then
207 as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
208 emulate sh
209@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test
210 else
211 exitcode=1; echo positional parameters were not saved.
212 fi
213-test x\$exitcode = x0 || exit 1"
214+test x\$exitcode = x0 || exit 1
215+test -x / || exit 1"
216 as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
217 as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
218 eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
219@@ -214,21 +238,25 @@ IFS=$as_save_IFS
220
221
222 if test "x$CONFIG_SHELL" != x; then :
223- # We cannot yet assume a decent shell, so we have to provide a
224- # neutralization value for shells without unset; and this also
225- # works around shells that cannot unset nonexistent variables.
226- # Preserve -v and -x to the replacement shell.
227- BASH_ENV=/dev/null
228- ENV=/dev/null
229- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
230- export CONFIG_SHELL
231- case $- in # ((((
232- *v*x* | *x*v* ) as_opts=-vx ;;
233- *v* ) as_opts=-v ;;
234- *x* ) as_opts=-x ;;
235- * ) as_opts= ;;
236- esac
237- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
238+ export CONFIG_SHELL
239+ # We cannot yet assume a decent shell, so we have to provide a
240+# neutralization value for shells without unset; and this also
241+# works around shells that cannot unset nonexistent variables.
242+# Preserve -v and -x to the replacement shell.
243+BASH_ENV=/dev/null
244+ENV=/dev/null
245+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
246+case $- in # ((((
247+ *v*x* | *x*v* ) as_opts=-vx ;;
248+ *v* ) as_opts=-v ;;
249+ *x* ) as_opts=-x ;;
250+ * ) as_opts= ;;
251+esac
252+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
253+# Admittedly, this is quite paranoid, since all the known shells bail
254+# out after a failed `exec'.
255+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
256+exit 255
257 fi
258
259 if test x$as_have_required = xno; then :
260@@ -331,6 +359,14 @@ $as_echo X"$as_dir" |
261
262
263 } # as_fn_mkdir_p
264+
265+# as_fn_executable_p FILE
266+# -----------------------
267+# Test if FILE is an executable regular file.
268+as_fn_executable_p ()
269+{
270+ test -f "$1" && test -x "$1"
271+} # as_fn_executable_p
272 # as_fn_append VAR VALUE
273 # ----------------------
274 # Append the text in VALUE to the end of the definition contained in VAR. Take
275@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
276 chmod +x "$as_me.lineno" ||
277 { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
278
279+ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
280+ # already done that, so ensure we don't try to do so again and fall
281+ # in an infinite loop. This has already happened in practice.
282+ _as_can_reexec=no; export _as_can_reexec
283 # Don't try to exec as it changes $[0], causing all sort of problems
284 # (the dirname of $[0] is not the place where we might find the
285 # original and so on. Autoconf is especially sensitive to this).
286@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
287 # ... but there are two gotchas:
288 # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
289 # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
290- # In both cases, we have to default to `cp -p'.
291+ # In both cases, we have to default to `cp -pR'.
292 ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
293- as_ln_s='cp -p'
294+ as_ln_s='cp -pR'
295 elif ln conf$$.file conf$$ 2>/dev/null; then
296 as_ln_s=ln
297 else
298- as_ln_s='cp -p'
299+ as_ln_s='cp -pR'
300 fi
301 else
302- as_ln_s='cp -p'
303+ as_ln_s='cp -pR'
304 fi
305 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
306 rmdir conf$$.dir 2>/dev/null
307@@ -507,28 +547,8 @@ else
308 as_mkdir_p=false
309 fi
310
311-if test -x / >/dev/null 2>&1; then
312- as_test_x='test -x'
313-else
314- if ls -dL / >/dev/null 2>&1; then
315- as_ls_L_option=L
316- else
317- as_ls_L_option=
318- fi
319- as_test_x='
320- eval sh -c '\''
321- if test -d "$1"; then
322- test -d "$1/.";
323- else
324- case $1 in #(
325- -*)set "./$1";;
326- esac;
327- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
328- ???[sx]*):;;*)false;;esac;fi
329- '\'' sh
330- '
331-fi
332-as_executable_p=$as_test_x
333+as_test_x='test -x'
334+as_executable_p=as_fn_executable_p
335
336 # Sed expression to map a string onto a valid CPP name.
337 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
338@@ -742,6 +762,7 @@ infodir
339 docdir
340 oldincludedir
341 includedir
342+runstatedir
343 localstatedir
344 sharedstatedir
345 sysconfdir
346@@ -841,6 +862,7 @@ datadir='${datarootdir}'
347 sysconfdir='${prefix}/etc'
348 sharedstatedir='${prefix}/com'
349 localstatedir='${prefix}/var'
350+runstatedir='${localstatedir}/run'
351 includedir='${prefix}/include'
352 oldincludedir='/usr/include'
353 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
354@@ -1093,6 +1115,15 @@ do
355 | -silent | --silent | --silen | --sile | --sil)
356 silent=yes ;;
357
358+ -runstatedir | --runstatedir | --runstatedi | --runstated \
359+ | --runstate | --runstat | --runsta | --runst | --runs \
360+ | --run | --ru | --r)
361+ ac_prev=runstatedir ;;
362+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
363+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
364+ | --run=* | --ru=* | --r=*)
365+ runstatedir=$ac_optarg ;;
366+
367 -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
368 ac_prev=sbindir ;;
369 -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
370@@ -1230,7 +1261,7 @@ fi
371 for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
372 datadir sysconfdir sharedstatedir localstatedir includedir \
373 oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
374- libdir localedir mandir
375+ libdir localedir mandir runstatedir
376 do
377 eval ac_val=\$$ac_var
378 # Remove trailing slashes.
379@@ -1258,8 +1289,6 @@ target=$target_alias
380 if test "x$host_alias" != x; then
381 if test "x$build_alias" = x; then
382 cross_compiling=maybe
383- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
384- If a cross compiler is detected then cross compile mode will be used" >&2
385 elif test "x$build_alias" != "x$host_alias"; then
386 cross_compiling=yes
387 fi
388@@ -1385,6 +1414,7 @@ Fine tuning of the installation director
389 --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
390 --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
391 --localstatedir=DIR modifiable single-machine data [PREFIX/var]
392+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
393 --libdir=DIR object code libraries [EPREFIX/lib]
394 --includedir=DIR C header files [PREFIX/include]
395 --oldincludedir=DIR C header files for non-gcc [/usr/include]
396@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat
397 if $ac_init_version; then
398 cat <<\_ACEOF
399 fetchmail configure 6.3.26
400-generated by GNU Autoconf 2.68
401+generated by GNU Autoconf 2.69
402
403-Copyright (C) 2010 Free Software Foundation, Inc.
404+Copyright (C) 2012 Free Software Foundation, Inc.
405 This configure script is free software; the Free Software Foundation
406 gives unlimited permission to copy, distribute and modify it.
407 _ACEOF
408@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5
409 test ! -s conftest.err
410 } && test -s conftest$ac_exeext && {
411 test "$cross_compiling" = yes ||
412- $as_test_x conftest$ac_exeext
413+ test -x conftest$ac_exeext
414 }; then :
415 ac_retval=0
416 else
417@@ -2030,7 +2060,8 @@ int
418 main ()
419 {
420 static int test_array [1 - 2 * !(($2) >= 0)];
421-test_array [0] = 0
422+test_array [0] = 0;
423+return test_array [0];
424
425 ;
426 return 0;
427@@ -2046,7 +2077,8 @@ int
428 main ()
429 {
430 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
431-test_array [0] = 0
432+test_array [0] = 0;
433+return test_array [0];
434
435 ;
436 return 0;
437@@ -2072,7 +2104,8 @@ int
438 main ()
439 {
440 static int test_array [1 - 2 * !(($2) < 0)];
441-test_array [0] = 0
442+test_array [0] = 0;
443+return test_array [0];
444
445 ;
446 return 0;
447@@ -2088,7 +2121,8 @@ int
448 main ()
449 {
450 static int test_array [1 - 2 * !(($2) >= $ac_mid)];
451-test_array [0] = 0
452+test_array [0] = 0;
453+return test_array [0];
454
455 ;
456 return 0;
457@@ -2122,7 +2156,8 @@ int
458 main ()
459 {
460 static int test_array [1 - 2 * !(($2) <= $ac_mid)];
461-test_array [0] = 0
462+test_array [0] = 0;
463+return test_array [0];
464
465 ;
466 return 0;
467@@ -2195,7 +2230,7 @@ This file contains any messages produced
468 running configure, to aid debugging if configure makes a mistake.
469
470 It was created by fetchmail $as_me 6.3.26, which was
471-generated by GNU Autoconf 2.68. Invocation command line was
472+generated by GNU Autoconf 2.69. Invocation command line was
473
474 $ $0 $@
475
476@@ -2689,7 +2724,7 @@ case $as_dir/ in #((
477 # by default.
478 for ac_prog in ginstall scoinst install; do
479 for ac_exec_ext in '' $ac_executable_extensions; do
480- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
481+ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
482 if test $ac_prog = install &&
483 grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
484 # AIX install. It has an incompatible calling convention.
485@@ -2858,7 +2893,7 @@ do
486 IFS=$as_save_IFS
487 test -z "$as_dir" && as_dir=.
488 for ac_exec_ext in '' $ac_executable_extensions; do
489- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
490+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
491 ac_cv_prog_STRIP="${ac_tool_prefix}strip"
492 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
493 break 2
494@@ -2898,7 +2933,7 @@ do
495 IFS=$as_save_IFS
496 test -z "$as_dir" && as_dir=.
497 for ac_exec_ext in '' $ac_executable_extensions; do
498- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
499+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
500 ac_cv_prog_ac_ct_STRIP="strip"
501 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
502 break 2
503@@ -2949,7 +2984,7 @@ do
504 test -z "$as_dir" && as_dir=.
505 for ac_prog in mkdir gmkdir; do
506 for ac_exec_ext in '' $ac_executable_extensions; do
507- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
508+ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
509 case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
510 'mkdir (GNU coreutils) '* | \
511 'mkdir (coreutils) '* | \
512@@ -3002,7 +3037,7 @@ do
513 IFS=$as_save_IFS
514 test -z "$as_dir" && as_dir=.
515 for ac_exec_ext in '' $ac_executable_extensions; do
516- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
517+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
518 ac_cv_prog_AWK="$ac_prog"
519 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
520 break 2
521@@ -3295,7 +3330,7 @@ do
522 IFS=$as_save_IFS
523 test -z "$as_dir" && as_dir=.
524 for ac_exec_ext in '' $ac_executable_extensions; do
525- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
526+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
527 ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
528 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
529 break 2
530@@ -3466,7 +3501,7 @@ do
531 IFS=$as_save_IFS
532 test -z "$as_dir" && as_dir=.
533 for ac_exec_ext in '' $ac_executable_extensions; do
534- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
535+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
536 ac_cv_prog_AWK="$ac_prog"
537 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
538 break 2
539@@ -3512,7 +3547,7 @@ do
540 IFS=$as_save_IFS
541 test -z "$as_dir" && as_dir=.
542 for ac_exec_ext in '' $ac_executable_extensions; do
543- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
544+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
545 ac_cv_prog_CC="${ac_tool_prefix}gcc"
546 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
547 break 2
548@@ -3552,7 +3587,7 @@ do
549 IFS=$as_save_IFS
550 test -z "$as_dir" && as_dir=.
551 for ac_exec_ext in '' $ac_executable_extensions; do
552- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
553+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
554 ac_cv_prog_ac_ct_CC="gcc"
555 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
556 break 2
557@@ -3605,7 +3640,7 @@ do
558 IFS=$as_save_IFS
559 test -z "$as_dir" && as_dir=.
560 for ac_exec_ext in '' $ac_executable_extensions; do
561- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
562+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
563 ac_cv_prog_CC="${ac_tool_prefix}cc"
564 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
565 break 2
566@@ -3646,7 +3681,7 @@ do
567 IFS=$as_save_IFS
568 test -z "$as_dir" && as_dir=.
569 for ac_exec_ext in '' $ac_executable_extensions; do
570- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
571+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
572 if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
573 ac_prog_rejected=yes
574 continue
575@@ -3704,7 +3739,7 @@ do
576 IFS=$as_save_IFS
577 test -z "$as_dir" && as_dir=.
578 for ac_exec_ext in '' $ac_executable_extensions; do
579- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
580+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
581 ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
582 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
583 break 2
584@@ -3748,7 +3783,7 @@ do
585 IFS=$as_save_IFS
586 test -z "$as_dir" && as_dir=.
587 for ac_exec_ext in '' $ac_executable_extensions; do
588- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
589+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
590 ac_cv_prog_ac_ct_CC="$ac_prog"
591 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
592 break 2
593@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
594 /* end confdefs.h. */
595 #include <stdarg.h>
596 #include <stdio.h>
597-#include <sys/types.h>
598-#include <sys/stat.h>
599+struct stat;
600 /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
601 struct buf { int x; };
602 FILE * (*rcsopen) (struct buf *, struct stat *, int);
603@@ -4751,7 +4785,7 @@ do
604 IFS=$as_save_IFS
605 test -z "$as_dir" && as_dir=.
606 for ac_exec_ext in '' $ac_executable_extensions; do
607- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
608+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
609 ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
610 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
611 break 2
612@@ -4791,7 +4825,7 @@ do
613 IFS=$as_save_IFS
614 test -z "$as_dir" && as_dir=.
615 for ac_exec_ext in '' $ac_executable_extensions; do
616- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
617+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
618 ac_cv_prog_ac_ct_RANLIB="ranlib"
619 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
620 break 2
621@@ -4859,7 +4893,7 @@ do
622 for ac_prog in grep ggrep; do
623 for ac_exec_ext in '' $ac_executable_extensions; do
624 ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
625- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
626+ as_fn_executable_p "$ac_path_GREP" || continue
627 # Check for GNU ac_path_GREP and select it if it is found.
628 # Check for GNU $ac_path_GREP
629 case `"$ac_path_GREP" --version 2>&1` in
630@@ -4925,7 +4959,7 @@ do
631 for ac_prog in egrep; do
632 for ac_exec_ext in '' $ac_executable_extensions; do
633 ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
634- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
635+ as_fn_executable_p "$ac_path_EGREP" || continue
636 # Check for GNU ac_path_EGREP and select it if it is found.
637 # Check for GNU $ac_path_EGREP
638 case `"$ac_path_EGREP" --version 2>&1` in
639@@ -5132,8 +5166,8 @@ else
640 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
641 /* end confdefs.h. */
642
643-# define __EXTENSIONS__ 1
644- $ac_includes_default
645+# define __EXTENSIONS__ 1
646+ $ac_includes_default
647 int
648 main ()
649 {
650@@ -5513,11 +5547,11 @@ else
651 int
652 main ()
653 {
654-/* FIXME: Include the comments suggested by Paul. */
655+
656 #ifndef __cplusplus
657- /* Ultrix mips cc rejects this. */
658+ /* Ultrix mips cc rejects this sort of thing. */
659 typedef int charset[2];
660- const charset cs;
661+ const charset cs = { 0, 0 };
662 /* SunOS 4.1.1 cc rejects this. */
663 char const *const *pcpcc;
664 char **ppc;
665@@ -5534,8 +5568,9 @@ main ()
666 ++pcpcc;
667 ppc = (char**) pcpcc;
668 pcpcc = (char const *const *) ppc;
669- { /* SCO 3.2v4 cc rejects this. */
670- char *t;
671+ { /* SCO 3.2v4 cc rejects this sort of thing. */
672+ char tx;
673+ char *t = &tx;
674 char const *s = 0 ? (char *) 0 : (char const *) 0;
675
676 *t++ = 0;
677@@ -5551,10 +5586,10 @@ main ()
678 iptr p = 0;
679 ++p;
680 }
681- { /* AIX XL C 1.02.0.0 rejects this saying
682+ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
683 "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
684- struct s { int j; const int *ap[3]; };
685- struct s *b; b->j = 5;
686+ struct s { int j; const int *ap[3]; } bx;
687+ struct s *b = &bx; b->j = 5;
688 }
689 { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
690 const int foo = 10;
691@@ -5600,7 +5635,7 @@ do
692 IFS=$as_save_IFS
693 test -z "$as_dir" && as_dir=.
694 for ac_exec_ext in '' $ac_executable_extensions; do
695- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
696+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
697 ac_cv_prog_LEX="$ac_prog"
698 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
699 break 2
700@@ -5632,7 +5667,8 @@ a { ECHO; }
701 b { REJECT; }
702 c { yymore (); }
703 d { yyless (1); }
704-e { yyless (input () != 0); }
705+e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */
706+ yyless ((input () != 0)); }
707 f { unput (yytext[0]); }
708 . { BEGIN INITIAL; }
709 %%
710@@ -5792,7 +5828,7 @@ do
711 IFS=$as_save_IFS
712 test -z "$as_dir" && as_dir=.
713 for ac_exec_ext in '' $ac_executable_extensions; do
714- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
715+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
716 ac_cv_prog_YACC="$ac_prog"
717 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
718 break 2
719@@ -6044,7 +6080,7 @@ do
720 IFS=$as_save_IFS
721 test -z "$as_dir" && as_dir=.
722 for ac_exec_ext in '' $ac_executable_extensions; do
723- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
724+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
725 ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
726 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
727 break 2
728@@ -8548,7 +8584,7 @@ do
729 IFS=$as_save_IFS
730 test -z "$as_dir" && as_dir=.
731 for ac_exec_ext in '' $ac_executable_extensions; do
732- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
733+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
734 ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext"
735 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
736 break 2
737@@ -8590,7 +8626,7 @@ do
738 IFS=$as_save_IFS
739 test -z "$as_dir" && as_dir=.
740 for ac_exec_ext in '' $ac_executable_extensions; do
741- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
742+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
743 ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext"
744 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
745 break 2
746@@ -8632,7 +8668,7 @@ do
747 IFS=$as_save_IFS
748 test -z "$as_dir" && as_dir=.
749 for ac_exec_ext in '' $ac_executable_extensions; do
750- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
751+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
752 ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext"
753 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
754 break 2
755@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r
756 fi
757
758 case "$LIBS" in *-lssl*)
759- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h>
760+ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h>
761 "
762-if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then :
763+if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then :
764 ac_have_decl=1
765 else
766 ac_have_decl=0
767 fi
768
769 cat >>confdefs.h <<_ACEOF
770-#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl
771+#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl
772 _ACEOF
773
774 ;;
775@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then
776 # ... but there are two gotchas:
777 # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
778 # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
779- # In both cases, we have to default to `cp -p'.
780+ # In both cases, we have to default to `cp -pR'.
781 ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
782- as_ln_s='cp -p'
783+ as_ln_s='cp -pR'
784 elif ln conf$$.file conf$$ 2>/dev/null; then
785 as_ln_s=ln
786 else
787- as_ln_s='cp -p'
788+ as_ln_s='cp -pR'
789 fi
790 else
791- as_ln_s='cp -p'
792+ as_ln_s='cp -pR'
793 fi
794 rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
795 rmdir conf$$.dir 2>/dev/null
796@@ -11403,28 +11439,16 @@ else
797 as_mkdir_p=false
798 fi
799
800-if test -x / >/dev/null 2>&1; then
801- as_test_x='test -x'
802-else
803- if ls -dL / >/dev/null 2>&1; then
804- as_ls_L_option=L
805- else
806- as_ls_L_option=
807- fi
808- as_test_x='
809- eval sh -c '\''
810- if test -d "$1"; then
811- test -d "$1/.";
812- else
813- case $1 in #(
814- -*)set "./$1";;
815- esac;
816- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
817- ???[sx]*):;;*)false;;esac;fi
818- '\'' sh
819- '
820-fi
821-as_executable_p=$as_test_x
822+
823+# as_fn_executable_p FILE
824+# -----------------------
825+# Test if FILE is an executable regular file.
826+as_fn_executable_p ()
827+{
828+ test -f "$1" && test -x "$1"
829+} # as_fn_executable_p
830+as_test_x='test -x'
831+as_executable_p=as_fn_executable_p
832
833 # Sed expression to map a string onto a valid CPP name.
834 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
835@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
836 # values after options handling.
837 ac_log="
838 This file was extended by fetchmail $as_me 6.3.26, which was
839-generated by GNU Autoconf 2.68. Invocation command line was
840+generated by GNU Autoconf 2.69. Invocation command line was
841
842 CONFIG_FILES = $CONFIG_FILES
843 CONFIG_HEADERS = $CONFIG_HEADERS
844@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ
845 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
846 ac_cs_version="\\
847 fetchmail config.status 6.3.26
848-configured by $0, generated by GNU Autoconf 2.68,
849+configured by $0, generated by GNU Autoconf 2.69,
850 with options \\"\$ac_cs_config\\"
851
852-Copyright (C) 2010 Free Software Foundation, Inc.
853+Copyright (C) 2012 Free Software Foundation, Inc.
854 This config.status script is free software; the Free Software Foundation
855 gives unlimited permission to copy, distribute and modify it."
856
857@@ -11606,7 +11630,7 @@ fi
858 _ACEOF
859 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
860 if \$ac_cs_recheck; then
861- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
862+ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
863 shift
864 \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
865 CONFIG_SHELL='$SHELL'
866--- fetchmail-6.3.26.orig/configure.ac
867+++ fetchmail-6.3.26/configure.ac
868@@ -802,7 +802,7 @@ else
869 fi
870
871 case "$LIBS" in *-lssl*)
872- AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
873+ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
874 ;;
875 esac
876
877--- fetchmail-6.3.26.orig/fetchmail-FAQ.html
878+++ fetchmail-6.3.26/fetchmail-FAQ.html
879@@ -667,8 +667,8 @@ because there is not currently a standar
880 also uses this method, so the two will interoperate happily. They
881 better, because this is how Craig gets his mail ;-)</p>
882
883-<p>Finally, you can use <a href="#K5">SSL</a> for complete
884-end-to-end encryption if you have an SSL-enabled mailserver.</p>
885+<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
886+end-to-end encryption if you have a TLS-enabled mailserver.</p>
887
888 <h2><a id="G11" name="G11">G11. Is any special configuration needed
889 to use a dynamic IP address?</a></h2>
890@@ -2120,7 +2120,7 @@ SSL?</a></h2>
891
892 <p>You'll need to have the <a
893 href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
894-should at least be version 0.9.7.
895+should at least be version 0.9.8, with 1.0.1 preferred.
896 Configure with --with-ssl. If you have the OpenSSL libraries
897 installed in commonly-used default locations, this will
898 suffice. If you have them installed in a non-default location,
899@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
900 <p>Fetchmail binaries built this way support <code>ssl</code>,
901 <code>sslkey</code>, and <code>sslcert</code> options that control
902 SSL encryption, and will automatically use <code>tls</code> if the
903-server offers it. You will need to have an SSL-enabled mailserver to
904+server offers it. You will need to have an SSL/TLS-enabled mailserver to
905 use these options. See the manual page for details and some words
906 of care on the limited security provided.</p>
907
908@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s
909 protocol imap username MYUSERNAME password MYPASSWORD
910 </pre>
911
912-<p>You should note that SSL is only secure against a "man-in-the-middle"
913-attack if the client is able to verify that the peer's public key is the
914-correct one, and has not been substituted by an attacker. fetchmail can do
915-this in one of two ways: by verifying the SSL certificate, or by checking
916-the fingerprint of the peer's public key.</p>
917+<p>You should note that SSL or TLS are only secure against a
918+"man-in-the-middle" attack if the client is able to verify that the
919+peer's public key is the correct one, and has not been substituted by an
920+attacker. fetchmail can do this in one of two ways: by verifying the SSL
921+certificate, or by checking the fingerprint of the peer's public
922+key.</p>
923
924-<p>There are three parts to SSL certificate verification: checking that the
925+<p>There are three parts to TLS certificate verification: checking that the
926 domain name in the certificate matches the hostname you asked to connect to;
927 checking that the certificate expiry date has not passed; and checking that
928 the certificate has been signed by a known Certificate Authority (CA). This
929@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati
930 time. This can however cause problems if the upstream didn't configure
931 his certificates properly.</p>
932
933-<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
934-negotiation, add this option:</p>
935+<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
936+STLS or STARTTLS negotiation, add this option:</p>
937+<pre>sslproto ''</pre>
938+
939+<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
940+negotiation where the above does not work, try this option:</p>
941
942 <pre>sslproto ssl23</pre>
943
944@@ -2876,15 +2881,22 @@ need to say something like '<code>envelo
945
946 <pre>
947 Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
948- by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
949- for &lt;ksturgeon@fbceg.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
950+ by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
951+ for &lt;ksturgeon@fbceg.example.org&gt;; Wed, 9 Sep 1998 17:01:59 -0700
952 </pre>
953
954-<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your
955-mailserver before accepting 'ksturgeon@fbceg.org' as an envelope
956+<p>it checks to see if 'iserv.example.net' is a DNS alias of your
957+mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope
958 address. This check might fail if your DNS were misconfigured, or
959-if you were using 'no dns' and had failed to declare iserv.ttns.net
960-as an alias of your server.</p>
961+if you were using 'no dns' and had failed to declare iserv.example.net
962+as an alias of your server. The typical hint is logging similar to:
963+<code>line rejected, iserv.example.net is not an alias of the mailserver</code>,
964+if you use fetchmail in verbose mode.</p>
965+
966+<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka
967+ <em>iserv.example.net</em></code> statements in the rcfile. Replace
968+<em>iserv.example.net</em> by the name you find in <strong>your</strong>
969+'by' part of the 'Received:' line.</p>
970
971 <h2><a id="M8" name="M8">M8. Users are getting multiple copies of
972 messages.</a></h2>
973@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p>
974 <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my
975 messages.</a></h2>
976
977+<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p>
978+
979 <p>Due to the problem described in <a href="#S2">S2</a>, the
980 IMAP support in fetchmail cannot follow the IMAP protocol 100&nbsp;%.
981 Most of the time it doesn't matter, but if you combine it with an
982@@ -3279,8 +3293,6 @@ it at the end of the message it forwards
983 on, you'll get a message about actual != expected.</li>
984 </ol>
985
986-<p>There is no fix for this.</p>
987-
988 <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header
989 with Domino IMAP</a></h2>
990
991--- fetchmail-6.3.26.orig/fetchmail.c
992+++ fetchmail-6.3.26/fetchmail.c
993@@ -54,6 +54,10 @@
994 #define ENETUNREACH 128 /* Interactive doesn't know this */
995 #endif /* ENETUNREACH */
996
997+#ifdef SSL_ENABLE
998+#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */
999+#endif
1000+
1001 /* prototypes for internal functions */
1002 static int load_params(int, char **, int);
1003 static void dump_params (struct runctl *runp, struct query *, flag implicit);
1004@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) {
1005 "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n"
1006 " Robert M. Funk, Graham Wilson\n"
1007 "Copyright (C) 2005 - 2012 Sunil Shetye\n"
1008- "Copyright (C) 2005 - 2013 Matthias Andree\n"
1009+ "Copyright (C) 2005 - 2015 Matthias Andree\n"
1010 ));
1011 fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n"
1012 "are welcome to redistribute it under certain conditions. For details,\n"
1013@@ -262,6 +266,9 @@ int main(int argc, char **argv)
1014 #endif /* ODMR_ENABLE */
1015 #ifdef SSL_ENABLE
1016 "+SSL"
1017+#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3)
1018+ "-SSLv3"
1019+#endif
1020 #endif
1021 #ifdef OPIE_ENABLE
1022 "+OPIE"
1023--- fetchmail-6.3.26.orig/fetchmail.h
1024+++ fetchmail-6.3.26/fetchmail.h
1025@@ -771,9 +771,9 @@ int servport(const char *service);
1026 int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
1027 void fm_freeaddrinfo(struct addrinfo *ai);
1028
1029-/* prototypes from tls.c */
1030-int maybe_tls(struct query *ctl);
1031-int must_tls(struct query *ctl);
1032+/* prototypes from starttls.c */
1033+int maybe_starttls(struct query *ctl);
1034+int must_starttls(struct query *ctl);
1035
1036 /* prototype from rfc822valid.c */
1037 int rfc822_valid_msgid(const unsigned char *);
1038--- fetchmail-6.3.26.orig/fetchmail.man
1039+++ fetchmail-6.3.26/fetchmail.man
1040@@ -412,23 +412,22 @@ from. The folder information is written
1041 .B \-\-ssl
1042 (Keyword: ssl)
1043 .br
1044-Causes the connection to the mail server to be encrypted
1045-via SSL. Connect to the server using the specified base protocol over a
1046-connection secured by SSL. This option defeats opportunistic starttls
1047-negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
1048-\-\-sslcertck to validate the certificates presented by the server and
1049-defeat the obsolete SSLv2 negotiation. More information is available in
1050-the \fIREADME.SSL\fP file that ships with fetchmail.
1051-.IP
1052-Note that fetchmail may still try to negotiate SSL through starttls even
1053-if this option is omitted. You can use the \-\-sslproto option to defeat
1054-this behavior or tell fetchmail to negotiate a particular SSL protocol.
1055+Causes the connection to the mail server to be encrypted via SSL, by
1056+negotiating SSL directly after connecting (SSL-wrapped mode). It is
1057+highly recommended to use \-\-sslcertck to validate the certificates
1058+presented by the server. Please see the description of \-\-sslproto
1059+below! More information is available in the \fIREADME.SSL\fP file that
1060+ships with fetchmail.
1061+.IP
1062+Note that even if this option is omitted, fetchmail may still negotiate
1063+SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You
1064+can use the \-\-sslproto option to modify that behavior.
1065 .IP
1066 If no port is specified, the connection is attempted to the well known
1067 port of the SSL version of the base protocol. This is generally a
1068 different port than the port used by the base protocol. For IMAP, this
1069 is port 143 for the clear protocol and port 993 for the SSL secured
1070-protocol, for POP3, it is port 110 for the clear text and port 995 for
1071+protocol; for POP3, it is port 110 for the clear text and port 995 for
1072 the encrypted variant.
1073 .IP
1074 If your system lacks the corresponding entries from /etc/services, see
1075@@ -470,39 +469,73 @@ cause some complications in daemon mode.
1076 .IP
1077 Also see \-\-sslcert above.
1078 .TP
1079-.B \-\-sslproto <name>
1080-(Keyword: sslproto)
1081+.B \-\-sslproto <value>
1082+(Keyword: sslproto, NOTE: semantic changes since v6.4.0)
1083 .br
1084-Forces an SSL/TLS protocol. Possible values are \fB''\fP,
1085-\&'\fBSSL2\fP' (not supported on all systems),
1086-\&'\fBSSL23\fP', (use of these two values is discouraged
1087-and should only be used as a last resort) \&'\fBSSL3\fP', and
1088-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
1089-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
1090-opportunistically try STARTTLS negotiation with TLS1. You can configure
1091-this option explicitly if the default handshake (TLS1 if \-\-ssl is not
1092-used) does not work for your server.
1093-.IP
1094-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
1095-connection. In this mode, it is highly recommended to also use
1096-\-\-sslcertck (see below). Note that this will then cause fetchmail
1097-v6.3.19 to force STARTTLS negotiation even if it is not advertised by
1098-the server.
1099-.IP
1100-To defeat opportunistic TLSv1 negotiation when the server advertises
1101-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This
1102-option, even if the argument is the empty string, will also suppress the
1103-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
1104-mode. The default is to try appropriate protocols depending on context.
1105+This option has a dual use, out of historic fetchmail behaviour. It
1106+controls both the SSL/TLS protocol version and, if \-\-ssl is not
1107+specified, the STARTTLS behaviour (upgrading the protocol to an SSL or
1108+TLS connection in-band). Some other options may however make TLS
1109+mandatory.
1110+.PP
1111+Only if this option and \-\-ssl are both missing for a poll, there will
1112+be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to
1113+upgrade to TLSv1 or newer.
1114+.PP
1115+Recognized values for \-\-sslproto are given below. You should normally
1116+chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of
1117+the options ending in a plus (\fB+\fP) character. Note that depending
1118+on OpenSSL library version and configuration, some options cause
1119+run-time errors because the requested SSL or TLS versions are not
1120+supported by the particular installed OpenSSL library.
1121+.RS
1122+.IP "\fB''\fP, the empty string"
1123+Disable STARTTLS. If \-\-ssl is given for the same server, log an error
1124+and pretend that '\fBauto\fP' had been used instead.
1125+.IP '\fBauto\fP'
1126+(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade.
1127+(fetchmail 6.3.26 and older have auto-negotiated all protocols that
1128+their OpenSSL library supported, including the broken SSLv3).
1129+.IP "\&'\fBSSL23\fP'
1130+see '\fBauto\fP'.
1131+.IP \&'\fBSSL3\fP'
1132+Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it
1133+if possible. This will make fetchmail negotiate SSLv3 only, and is the
1134+only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
1135+.IP \&'\fBSSL3+\fP'
1136+same as '\fBauto\fP', but permit SSLv3 as well. This is the only way
1137+besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
1138+.IP \&'\fBTLS1\fP'
1139+Require TLSv1. This does not negotiate TLSv1.1 or newer, and is
1140+discouraged. Replace by TLS1+ unless the latter chokes your server.
1141+.IP \&'\fBTLS1+\fP'
1142+Since v6.4.0. See 'fBauto\fP'.
1143+.IP \&'\fBTLS1.1\fP'
1144+Since v6.4.0. Require TLS v1.1 exactly.
1145+.IP \&'\fBTLS1.1+\fP'
1146+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer.
1147+.IP \&'\fBTLS1.2\fP'
1148+Since v6.4.0. Require TLS v1.2 exactly.
1149+.IP '\fBTLS1.2+\fP'
1150+Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer.
1151+.IP "Unrecognized parameters"
1152+are treated the same as '\fBauto\fP'.
1153+.RE
1154+.IP
1155+NOTE: you should hardly ever need to use anything other than '' (to
1156+force an unencrypted connection) or 'auto' (to enforce TLS).
1157 .TP
1158 .B \-\-sslcertck
1159 (Keyword: sslcertck)
1160 .br
1161-Causes fetchmail to strictly check the server certificate against a set of
1162-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
1163-options). If the server certificate cannot be obtained or is not signed by one
1164-of the trusted ones (directly or indirectly), the SSL connection will fail,
1165-regardless of the \fBsslfingerprint\fP option.
1166+Causes fetchmail to require that SSL/TLS be used and disconnect if it
1167+can not successfully negotiate SSL or TLS, or if it cannot successfully
1168+verify and validate the certificate and follow it to a trust anchor (or
1169+trusted root certificate). The trust anchors are given as a set of local
1170+trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
1171+options). If the server certificate cannot be obtained or is not signed
1172+by one of the trusted ones (directly or indirectly), fetchmail will
1173+disconnect, regardless of the \fBsslfingerprint\fP option.
1174 .IP
1175 Note that CRL (certificate revocation lists) are only supported in
1176 OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
1177@@ -1202,31 +1235,33 @@ capability response. Specify a user opti
1178 username and the part to the right as the NTLM domain.
1179
1180 .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS)
1181+.PP All retrieval protocols can use SSL or TLS wrapping for the
1182+transport. Additionally, POP3 and IMAP retrival can also negotiate
1183+SSL/TLS by means of STARTTLS (or STLS).
1184 .PP
1185 Note that fetchmail currently uses the OpenSSL library, which is
1186 severely underdocumented, so failures may occur just because the
1187 programmers are not aware of OpenSSL's requirement of the day.
1188 For instance, since v6.3.16, fetchmail calls
1189 OpenSSL_add_all_algorithms(), which is necessary to support certificates
1190-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
1191-documentation and not at all obvious. Please do not hesitate to report
1192-subtle SSL failures.
1193-.PP
1194-You can access SSL encrypted services by specifying the \-\-ssl option.
1195-You can also do this using the "ssl" user option in the .fetchmailrc
1196-file. With SSL encryption enabled, queries are initiated over a
1197-connection after negotiating an SSL session, and the connection fails if
1198-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have
1199+using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in
1200+the documentation and not at all obvious. Please do not hesitate to
1201+report subtle SSL failures.
1202+.PP
1203+You can access SSL encrypted services by specifying the options starting
1204+with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others.
1205+You can also do this using the corresponding user options in the .fetchmailrc
1206+file. Some services, such as POP3 and IMAP, have
1207 different well known ports defined for the SSL encrypted services. The
1208 encrypted ports will be selected automatically when SSL is enabled and
1209-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
1210-used to select the SSLv3 protocol (default if unset: v2 or v3). Also,
1211-the \-\-sslcertck command line or sslcertck run control file option
1212-should be used to force strict certificate checking - see below.
1213+no explicit port is specified. Also, the \-\-sslcertck command line or
1214+sslcertck run control file option should be used to force strict
1215+certificate checking - see below.
1216 .PP
1217 If SSL is not configured, fetchmail will usually opportunistically try to use
1218-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
1219-connections use the same port as the unencrypted version of the
1220+STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and
1221+defeated by using \-\-sslproto\~''.
1222+TLS connections use the same port as the unencrypted version of the
1223 protocol and negotiate TLS via special command. The \-\-sslcertck
1224 command line or sslcertck run control file option should be used to
1225 force strict certificate checking - see below.
1226--- fetchmail-6.3.26.orig/imap.c
1227+++ fetchmail-6.3.26/imap.c
1228@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
1229 /* apply for connection authorization */
1230 {
1231 int ok = 0;
1232+ char *commonname;
1233+
1234 (void)greeting;
1235
1236 /*
1237@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct
1238 return(PS_SUCCESS);
1239 }
1240
1241-#ifdef SSL_ENABLE
1242- if (maybe_tls(ctl)) {
1243- char *commonname;
1244-
1245- commonname = ctl->server.pollname;
1246- if (ctl->server.via)
1247- commonname = ctl->server.via;
1248- if (ctl->sslcommonname)
1249- commonname = ctl->sslcommonname;
1250+ commonname = ctl->server.pollname;
1251+ if (ctl->server.via)
1252+ commonname = ctl->server.via;
1253+ if (ctl->sslcommonname)
1254+ commonname = ctl->sslcommonname;
1255
1256- if (strstr(capabilities, "STARTTLS")
1257- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
1258+#ifdef SSL_ENABLE
1259+ if (maybe_starttls(ctl)) {
1260+ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl))
1261+ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
1262 {
1263- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
1264- * protocol that will work with STARTTLS. Don't need to worry
1265- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
1266- * (see below). */
1267+ /* Don't need to worry whether TLS is mandatory or
1268+ * opportunistic unless SSLOpen() fails (see below). */
1269 if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
1270- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
1271+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
1272 ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
1273 ctl->server.pollname, &ctl->remotename)) != -1)
1274 {
1275@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct
1276 {
1277 report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
1278 }
1279- } else if (must_tls(ctl)) {
1280+ } else if (must_starttls(ctl)) {
1281 /* Config required TLS but we couldn't guarantee it, so we must
1282 * stop. */
1283 set_timeout(0);
1284@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct
1285 /* Usable. Proceed with authenticating insecurely. */
1286 }
1287 }
1288+ } else {
1289+ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) {
1290+ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname);
1291+ }
1292 }
1293 #endif /* SSL_ENABLE */
1294
1295--- fetchmail-6.3.26.orig/po/Makevars
1296+++ fetchmail-6.3.26/po/Makevars
1297@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis
1298 # This is the list of locale categories, beyond LC_MESSAGES, for which the
1299 # message catalogs shall be used. It is usually empty.
1300 EXTRA_LOCALE_CATEGORIES =
1301+
1302+# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt'
1303+# context. Possible values are "yes" and "no". Set this to yes if the
1304+# package uses functions taking also a message context, like pgettext(), or
1305+# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument.
1306+USE_MSGCTXT = no
1307+
1308+# These options get passed to msgmerge.
1309+# Useful options are in particular:
1310+# --previous to keep previous msgids of translated messages,
1311+# --quiet to reduce the verbosity.
1312+MSGMERGE_OPTIONS =
1313--- fetchmail-6.3.26.orig/pop3.c
1314+++ fetchmail-6.3.26/pop3.c
1315@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
1316 #endif /* OPIE_ENABLE */
1317 #ifdef SSL_ENABLE
1318 flag connection_may_have_tls_errors = FALSE;
1319+ char *commonname;
1320 #endif /* SSL_ENABLE */
1321
1322 done_capa = FALSE;
1323@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct
1324 (ctl->server.authenticate == A_KERBEROS_V5) ||
1325 (ctl->server.authenticate == A_OTP) ||
1326 (ctl->server.authenticate == A_CRAM_MD5) ||
1327- maybe_tls(ctl))
1328+ maybe_starttls(ctl))
1329 {
1330 if ((ok = capa_probe(sock)) != PS_SUCCESS)
1331 /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
1332@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct
1333 (ok == PS_SOCKET && !ctl->wehaveauthed))
1334 {
1335 #ifdef SSL_ENABLE
1336- if (must_tls(ctl)) {
1337+ if (must_starttls(ctl)) {
1338 /* fail with mandatory STLS without repoll */
1339 report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
1340 report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
1341 return ok;
1342- } else if (maybe_tls(ctl)) {
1343+ } else if (maybe_starttls(ctl)) {
1344 /* defeat opportunistic STLS */
1345 xfree(ctl->sslproto);
1346 ctl->sslproto = xstrdup("");
1347@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct
1348 }
1349
1350 #ifdef SSL_ENABLE
1351- if (maybe_tls(ctl)) {
1352- char *commonname;
1353+ commonname = ctl->server.pollname;
1354+ if (ctl->server.via)
1355+ commonname = ctl->server.via;
1356+ if (ctl->sslcommonname)
1357+ commonname = ctl->sslcommonname;
1358
1359- commonname = ctl->server.pollname;
1360- if (ctl->server.via)
1361- commonname = ctl->server.via;
1362- if (ctl->sslcommonname)
1363- commonname = ctl->sslcommonname;
1364-
1365- if (has_stls
1366- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
1367+ if (maybe_starttls(ctl)) {
1368+ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
1369 {
1370- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
1371- * protocol that will work with STARTTLS. Don't need to worry
1372- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
1373- * (see below). */
1374+ /* Don't need to worry whether TLS is mandatory or
1375+ * opportunistic unless SSLOpen() fails (see below). */
1376 if (gen_transact(sock, "STLS") == PS_SUCCESS
1377- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
1378+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
1379 ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
1380 ctl->server.pollname, &ctl->remotename)) != -1)
1381 {
1382@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct
1383 {
1384 report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
1385 }
1386- } else if (must_tls(ctl)) {
1387+ } else if (must_starttls(ctl)) {
1388 /* Config required TLS but we couldn't guarantee it, so we must
1389 * stop. */
1390 set_timeout(0);
1391@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct
1392 }
1393 }
1394 }
1395- } /* maybe_tls() */
1396+ } else { /* maybe_starttls() */
1397+ if (has_stls && outlevel >= O_VERBOSE) {
1398+ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
1399+ }
1400+ } /* maybe_starttls() */
1401 #endif /* SSL_ENABLE */
1402
1403 /*
1404--- fetchmail-6.3.26.orig/socket.c
1405+++ fetchmail-6.3.26/socket.c
1406@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char
1407 {
1408 struct stat randstat;
1409 int i;
1410+ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
1411 long sslopts = SSL_OP_ALL;
1412+ int ssle_connect = 0;
1413
1414 SSL_load_error_strings();
1415 SSL_library_init();
1416@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char
1417 /* Make sure a connection referring to an older context is not left */
1418 _ssl_context[sock] = NULL;
1419 if(myproto) {
1420- if(!strcasecmp("ssl2",myproto)) {
1421-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
1422- _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
1423+ if(!strcasecmp("ssl3",myproto)) {
1424+#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0)
1425+ _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
1426+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
1427 #else
1428- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
1429+ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
1430 return -1;
1431 #endif
1432- } else if(!strcasecmp("ssl3",myproto)) {
1433- _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
1434+ } else if(!strcasecmp("ssl3+",myproto)) {
1435+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
1436+ myproto = NULL;
1437 } else if(!strcasecmp("tls1",myproto)) {
1438 _ctx[sock] = SSL_CTX_new(TLSv1_client_method());
1439- } else if (!strcasecmp("ssl23",myproto)) {
1440+ } else if(!strcasecmp("tls1+",myproto)) {
1441+ myproto = NULL;
1442+#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION
1443+ } else if(!strcasecmp("tls1.1",myproto)) {
1444+ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method());
1445+ } else if(!strcasecmp("tls1.1+",myproto)) {
1446+ myproto = NULL;
1447+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
1448+#else
1449+ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) {
1450+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n"));
1451+ return -1;
1452+#endif
1453+#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION
1454+ } else if(!strcasecmp("tls1.2",myproto)) {
1455+ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method());
1456+ } else if(!strcasecmp("tls1.2+",myproto)) {
1457+ myproto = NULL;
1458+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
1459+ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1;
1460+#else
1461+ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) {
1462+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n"));
1463+ return -1;
1464+#endif
1465+ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) {
1466 myproto = NULL;
1467 } else {
1468- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
1469+ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto);
1470 myproto = NULL;
1471 }
1472 }
1473- if(!myproto) {
1474+ // do not combine into an else { } as myproto may be nulled
1475+ // above!
1476+ if (!myproto) {
1477+ // SSLv23 is a misnomer and will in fact use the best
1478+ // available protocol, subject to SSL_OP_NO*
1479+ // constraints.
1480 _ctx[sock] = SSL_CTX_new(SSLv23_client_method());
1481 }
1482 if(_ctx[sock] == NULL) {
1483@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char
1484 sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1485 }
1486
1487- SSL_CTX_set_options(_ctx[sock], sslopts);
1488+ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions);
1489
1490 if (certck) {
1491 SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
1492@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char
1493 }
1494
1495 if (SSL_set_fd(_ssl_context[sock], sock) == 0
1496- || SSL_connect(_ssl_context[sock]) < 1) {
1497+ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
1498+ int e = errno;
1499+ unsigned long ssle_err_from_queue = ERR_peek_error();
1500+ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect);
1501 ERR_print_errors_fp(stderr);
1502+ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) {
1503+ if (0 == ssle_connect) {
1504+ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n"));
1505+ } else if (ssle_connect < 0) {
1506+ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e));
1507+ }
1508+ }
1509 SSL_free( _ssl_context[sock] );
1510 _ssl_context[sock] = NULL;
1511 SSL_CTX_free(_ctx[sock]);
1512@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char
1513 return(-1);
1514 }
1515
1516+ if (outlevel >= O_VERBOSE) {
1517+ SSL_CIPHER const *sc;
1518+ int bitsmax, bitsused;
1519+
1520+ const char *ver;
1521+
1522+ ver = SSL_get_version(_ssl_context[sock]);
1523+
1524+ sc = SSL_get_current_cipher(_ssl_context[sock]);
1525+ if (!sc) {
1526+ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n"));
1527+ } else {
1528+ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax);
1529+ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"),
1530+ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax);
1531+ }
1532+ }
1533+
1534 /* Paranoia: was the callback not called as we expected? */
1535 if (!_depth0ck) {
1536 report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
1537--- /dev/null
1538+++ fetchmail-6.3.26/starttls.c
1539@@ -0,0 +1,37 @@
1540+/** \file tls.c - collect common TLS functionality
1541+ * \author Matthias Andree
1542+ * \date 2006
1543+ */
1544+
1545+#include "fetchmail.h"
1546+
1547+#include <string.h>
1548+
1549+#ifdef HAVE_STRINGS_H
1550+#include <strings.h>
1551+#endif
1552+
1553+/** return true if user allowed opportunistic STARTTLS/STLS */
1554+int maybe_starttls(struct query *ctl) {
1555+#ifdef SSL_ENABLE
1556+ /* opportunistic or forced TLS */
1557+ return (!ctl->sslproto || strlen(ctl->sslproto))
1558+ && !ctl->use_ssl;
1559+#else
1560+ (void)ctl;
1561+ return 0;
1562+#endif
1563+}
1564+
1565+/** return true if user requires STARTTLS/STLS, note though that this
1566+ * code must always use a logical AND with maybe_tls(). */
1567+int must_starttls(struct query *ctl) {
1568+#ifdef SSL_ENABLE
1569+ return maybe_starttls(ctl)
1570+ && (ctl->sslfingerprint || ctl->sslcertck
1571+ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
1572+#else
1573+ (void)ctl;
1574+ return 0;
1575+#endif
1576+}
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb
index 5af5d0df62..21caa918a6 100644
--- a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb
+++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.1.bb
@@ -3,15 +3,14 @@ HOMEPAGE = "http://www.fetchmail.info/"
3DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC." 3DESCRIPTION = "Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even support IPv6 and IPSEC."
4SECTION = "mail" 4SECTION = "mail"
5LICENSE = "GPLv2 & MIT" 5LICENSE = "GPLv2 & MIT"
6LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c" 6LIC_FILES_CHKSUM = "file://COPYING;md5=ca53985c1fd053ae0bffffaa89ed49f1"
7 7
8DEPENDS = "openssl" 8DEPENDS = "openssl"
9 9
10SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ 10SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \
11 file://02_remove_SSLv3.patch \
12 " 11 "
13SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3" 12SRC_URI[md5sum] = "c2b836a919cdd4ec53b06b70e0aa3e63"
14SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850" 13SRC_URI[sha256sum] = "3f33f11dd08c3e8cc3e9d18eec686b1626d4818f4d5a72791507bbc4dce6a9a0"
15 14
16inherit autotools gettext python-dir pythonnative 15inherit autotools gettext python-dir pythonnative
17 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-25 16:50:37 +0000