From patchwork Wed Sep 5 21:02:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Khem Raj X-Patchwork-Id: 146045 Delivered-To: patch@linaro.org Received: by 2002:a2e:1648:0:0:0:0:0 with SMTP id 8-v6csp30018ljw; Wed, 5 Sep 2018 14:03:25 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbM9jr5s0XA6gW7gl66NIcGGHwdDfunJ2STravWBhV/apK1l6yCW+YonvE2biF7qQvMjpSJ X-Received: by 2002:a17:902:ba86:: with SMTP id k6-v6mr40883264pls.84.1536181405146; Wed, 05 Sep 2018 14:03:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536181405; cv=none; d=google.com; s=arc-20160816; b=JVyo6kh6Nn51FVP8NcGEiJwLUK5+p4u+cBBMsETr/cj/6U2oRVjp/pX1CKA+2ze9BE C0yCYmS2+0gte4qbLd8zLCd8r6XELoSOx5mO+ARI7ajb5NTG7mhYO+ztRpdhfxoz9lp0 bJ+iNYRzCHRkD0XIFKB7wRF+65+VJpaciQ+4yrC5AiSKUrBIM3bPkuz1bNow+DjAV0Zm wm/Ndh0r9Gj2hNC5N+64/dyBTbUeo2xP+6ZGjAaYJ8g09ZIkVznGGPe13m+8ucQhE2+j pkLH9B0JuIkaKq50q3sFc4P+da2WCklboFe+4PLcut4sV1NUzobt+tHhf6gSE5XqaUiX /bnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=sLtdGoiEtDNG+VEo1uxvItZpAL3FKrGeGzIqp8E0l9M=; b=rfp+V6juPB55R1pVdRNtMX7wiJtbqvb39l48dFW2yS2LBroVFyqvkCDu2aKbj4hr+B akI+NNmtqSMufmvXttspPdQfaRTgaKZI3a9nFyZhkAgyI15qHcwSRBTqyMgHA++taCdg hOd+OlMNprKEZuoO1mOUBTK5S5MN3VqDBSFlNnCRvlJbGEBGQWIQdMlKSFjLxHqNNpan Q6Ab6pzSt/Y9YACEstq3iTq9GSJiqKfy6X7G+C9rc6cvrW7Oxc6a7UdaUAe1k3b0oA8Q 3yUI2OHblFPax5yTUVEFbGBPKPGvDfsVWn/dQAtd2XcgF7yuCFZ4o3rdPP9oit1h30Ms 0iYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=eZV9KQq9; spf=pass (google.com: best guess record for domain of openembedded-devel-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-devel-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id w126-v6si3021074pfb.232.2018.09.05.14.03.24; Wed, 05 Sep 2018 14:03:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-devel-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=eZV9KQq9; spf=pass (google.com: best guess record for domain of openembedded-devel-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-devel-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from layers.openembedded.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id C099F794C8; Wed, 5 Sep 2018 21:02:58 +0000 (UTC) X-Original-To: openembedded-devel@lists.openembedded.org Delivered-To: openembedded-devel@lists.openembedded.org Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mail.openembedded.org (Postfix) with ESMTP id 0AD0B793FC for ; Wed, 5 Sep 2018 21:02:36 +0000 (UTC) Received: by mail-pf1-f171.google.com with SMTP id i26-v6so4077644pfo.12 for ; Wed, 05 Sep 2018 14:02:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xXRx8fyqX6R1wmJxqNEYGOkZ40a1OQFlk/c1c2P5+uk=; b=eZV9KQq9PHlN2RDjNHLWZmVryAt8cxg3DD+q/2u8ojuhmRfVHCYu3Jeu9p6RNkXpdb hhdkZE7n0XvFE+NYrTdY02iGYcDc8VzRz54J0KK1SLAffFIawlqyDaQSpE1kg6jLwWo6 PKBth3pFTWESvFlCkeFdCkds63uvRlx5YgxGJxgLq8UaHUC8dHTWcRzhxKAIxx9wmVYQ hD0dXMHkVrSPpar+7qiqQ6nVhQersNiR5tC9JCBNss6Tc2nucyRbg0H+n6WLcwuugmvd /YAczJ3fArfbCZoLrycKho5Nyu6ROhYIKqYD8spjFcpAQmLeEvQdfk1WkpR1HM/g94KX cWrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xXRx8fyqX6R1wmJxqNEYGOkZ40a1OQFlk/c1c2P5+uk=; b=iXjOgKs2MhboUG+rtrFcIhTAoQS++vaLEU8GIbE3xv9AJ7EqXOQTPKneVwUeNKSIw5 AMUEFTjmT+6gea8A04ioMe/mMn3Jm5e41MMaNTB66WVYw4C4C/DdYekRC5UQTqVlbPb3 Ow1vvgiJI9499MFKe5D7cNaZaRfO1J6R3KjjaqVoazxKzPvNLhZ/9e5FX5cAXUhO5Kht xOE0wioao0wG7Jax2fL3tqpp5/IyFX/sralBb0mcYuFa2XTPRG3ALsWZASb+GY6EwRFJ 9ItOhWO/PSCrtZFDXbrl5TOnwpxu5ymQ3GJsvoJlzdKp5yCCtfaOt33zEs6lbQSCak0c uk4w== X-Gm-Message-State: APzg51Du56Aba23hCVBJMV+8gSogcR0GcdnibAYh3/pJWM+F2U+ZK+l1 YHnAvn3jYlaUCt/JUrUT2LLveP8C X-Received: by 2002:a63:fb07:: with SMTP id o7-v6mr38358828pgh.333.1536181356564; Wed, 05 Sep 2018 14:02:36 -0700 (PDT) Received: from localhost.localdomain ([2601:646:877f:9499::71e7]) by smtp.gmail.com with ESMTPSA id e26-v6sm3689411pfi.70.2018.09.05.14.02.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Sep 2018 14:02:35 -0700 (PDT) From: Khem Raj To: openembedded-devel@lists.openembedded.org Date: Wed, 5 Sep 2018 14:02:17 -0700 Message-Id: <20180905210224.21225-5-raj.khem@gmail.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180905210224.21225-1-raj.khem@gmail.com> References: <20180905210224.21225-1-raj.khem@gmail.com> Subject: [oe] [meta-networking][PATCH 05/12] fetchmail: Fix build with OpenSSL X-BeenThere: openembedded-devel@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Using the OpenEmbedded metadata to build Distributions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-devel-bounces@lists.openembedded.org Errors-To: openembedded-devel-bounces@lists.openembedded.org Backport a patch from Debian Signed-off-by: Khem Raj --- .../fetchmail/fetchmail/02_remove_SSLv3.patch | 1576 +++++++++++++++++ .../fetchmail/fetchmail_6.3.26.bb | 4 +- 2 files changed, 1579 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch -- 2.18.0 -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch new file mode 100644 index 0000000000..95cfa2f4a1 --- /dev/null +++ b/meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch @@ -0,0 +1,1576 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + fetchmail (6.3.26-2) unstable; urgency=low + . + * New maintainer (closes: #800750). + * Backport upstream fix for SSLv3 removal (closes: #804604) and do not + recommend SSLv3 (closes: #801178). + * Remove quilt and its usage. + * Add dh-python to build depends. + * Update upstream URLs. + * Update watch file. + * Update Standards-Version to 3.9.6 . +Author: Laszlo Boszormenyi (GCS) +Bug-Debian: https://bugs.debian.org/800750 +Bug-Debian: https://bugs.debian.org/801178 +Bug-Debian: https://bugs.debian.org/804604 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- fetchmail-6.3.26.orig/Makefile.am ++++ fetchmail-6.3.26/Makefile.am +@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ +- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ ++ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ + xmalloc.h sdump.h sdump.c x509_name_match.c \ + fm_strl.h md5c.c + if NTLM_ENABLE +--- fetchmail-6.3.26.orig/Makefile.in ++++ fetchmail-6.3.26/Makefile.in +@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas + rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c ntlmsubr.c + @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) + am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ + rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ + servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ + smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ +- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ ++ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ + sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ + $(am__objects_1) + libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) +@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c $(am__append_1) + libfm_a_LIBADD = $(EXTRAOBJ) + libfm_a_DEPENDENCIES = $(EXTRAOBJ) +--- fetchmail-6.3.26.orig/NEWS ++++ fetchmail-6.3.26/NEWS +@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.) + * The --bsmtp - mode of operation may be removed in a future release. + * Given that OpenSSL is severely underdocumented, and needs license exceptions, + fetchmail may switch to a different SSL library. +-* SSLv2 support will be removed from a future fetchmail release. It has been +- obsolete for more than a decade. + + -------------------------------------------------------------------------------- + +--- fetchmail-6.3.26.orig/README.SSL ++++ fetchmail-6.3.26/README.SSL +@@ -11,36 +11,45 @@ specific to fetchmail. + In case of troubles, mail the README.SSL-SERVER file to your ISP and + have them check their server configuration against it. + +-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether +-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is +-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot +-be fixed in a bugfix release. ++Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a ++service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) ++or is totally SSL-wrapped on a separate port. For compatibility ++reasons, this cannot be fixed in a bugfix or minor release. ++ ++Also, fetchmail 6.4.0 and newer releases changed some of the semantics ++as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. ++If your server does not support this, you may have to specify --sslproto ++ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 ++and v3 are broken. + +- -- Matthias Andree, 2009-05-09 ++ -- Matthias Andree, 2015-01-16 + + + Quickstart + ---------- + ++Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get ++TLSv1.2 support. ++ + For use of SSL or TLS with in-band negotiation on the regular service's port, + i. e. with STLS or STARTTLS, use these command line options + +- --sslproto tls1 --sslcertck ++ --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- sslproto tls1 sslcertck ++ sslproto auto sslcertck + + + For use of SSL or TLS on a separate port, if the whole TCP connection is +-SSL-encrypted from the very beginning, use these command line options (in the +-rcfile, omit all leading "--"): ++SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these ++command line options (in the rcfile, omit all leading "--"): + +- --ssl --sslproto ssl3 --sslcertck ++ --ssl --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- ssl sslproto ssl3 sslcertck ++ ssl sslproto auto sslcertck + + + Background and use (long version :-)) +--- fetchmail-6.3.26.orig/config.h.in ++++ fetchmail-6.3.26/config.h.in +@@ -49,9 +49,9 @@ + don't. */ + #undef HAVE_DECL_H_ERRNO + +-/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0 ++/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 + if you don't. */ +-#undef HAVE_DECL_SSLV2_CLIENT_METHOD ++#undef HAVE_DECL_SSLV3_CLIENT_METHOD + + /* Define to 1 if you have the declaration of `strerror', and to 0 if you + don't. */ +--- fetchmail-6.3.26.orig/configure ++++ fetchmail-6.3.26/configure +@@ -1,13 +1,11 @@ + #! /bin/sh + # Guess values for system-dependent variables and create Makefiles. +-# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26. ++# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26. + # + # Report bugs to . + # + # +-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software +-# Foundation, Inc. ++# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. + # + # + # This configure script is free software; the Free Software Foundation +@@ -136,6 +134,31 @@ export LANGUAGE + # CDPATH. + (unset CDPATH) >/dev/null 2>&1 && unset CDPATH + ++# Use a proper internal environment variable to ensure we don't fall ++ # into an infinite loop, continuously re-executing ourselves. ++ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then ++ _as_can_reexec=no; export _as_can_reexec; ++ # We cannot yet assume a decent shell, so we have to provide a ++# neutralization value for shells without unset; and this also ++# works around shells that cannot unset nonexistent variables. ++# Preserve -v and -x to the replacement shell. ++BASH_ENV=/dev/null ++ENV=/dev/null ++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV ++case $- in # (((( ++ *v*x* | *x*v* ) as_opts=-vx ;; ++ *v* ) as_opts=-v ;; ++ *x* ) as_opts=-x ;; ++ * ) as_opts= ;; ++esac ++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} ++# Admittedly, this is quite paranoid, since all the known shells bail ++# out after a failed `exec'. ++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 ++as_fn_exit 255 ++ fi ++ # We don't want this to propagate to other subprocesses. ++ { _as_can_reexec=; unset _as_can_reexec;} + if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh +@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test + else + exitcode=1; echo positional parameters were not saved. + fi +-test x\$exitcode = x0 || exit 1" ++test x\$exitcode = x0 || exit 1 ++test -x / || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && +@@ -214,21 +238,25 @@ IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : +- # We cannot yet assume a decent shell, so we have to provide a +- # neutralization value for shells without unset; and this also +- # works around shells that cannot unset nonexistent variables. +- # Preserve -v and -x to the replacement shell. +- BASH_ENV=/dev/null +- ENV=/dev/null +- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +- export CONFIG_SHELL +- case $- in # (((( +- *v*x* | *x*v* ) as_opts=-vx ;; +- *v* ) as_opts=-v ;; +- *x* ) as_opts=-x ;; +- * ) as_opts= ;; +- esac +- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} ++ export CONFIG_SHELL ++ # We cannot yet assume a decent shell, so we have to provide a ++# neutralization value for shells without unset; and this also ++# works around shells that cannot unset nonexistent variables. ++# Preserve -v and -x to the replacement shell. ++BASH_ENV=/dev/null ++ENV=/dev/null ++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV ++case $- in # (((( ++ *v*x* | *x*v* ) as_opts=-vx ;; ++ *v* ) as_opts=-v ;; ++ *x* ) as_opts=-x ;; ++ * ) as_opts= ;; ++esac ++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} ++# Admittedly, this is quite paranoid, since all the known shells bail ++# out after a failed `exec'. ++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 ++exit 255 + fi + + if test x$as_have_required = xno; then : +@@ -331,6 +359,14 @@ $as_echo X"$as_dir" | + + + } # as_fn_mkdir_p ++ ++# as_fn_executable_p FILE ++# ----------------------- ++# Test if FILE is an executable regular file. ++as_fn_executable_p () ++{ ++ test -f "$1" && test -x "$1" ++} # as_fn_executable_p + # as_fn_append VAR VALUE + # ---------------------- + # Append the text in VALUE to the end of the definition contained in VAR. Take +@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + ++ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have ++ # already done that, so ensure we don't try to do so again and fall ++ # in an infinite loop. This has already happened in practice. ++ _as_can_reexec=no; export _as_can_reexec + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). +@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -p'. ++ # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file + rmdir conf$$.dir 2>/dev/null +@@ -507,28 +547,8 @@ else + as_mkdir_p=false + fi + +-if test -x / >/dev/null 2>&1; then +- as_test_x='test -x' +-else +- if ls -dL / >/dev/null 2>&1; then +- as_ls_L_option=L +- else +- as_ls_L_option= +- fi +- as_test_x=' +- eval sh -c '\'' +- if test -d "$1"; then +- test -d "$1/."; +- else +- case $1 in #( +- -*)set "./$1";; +- esac; +- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( +- ???[sx]*):;;*)false;;esac;fi +- '\'' sh +- ' +-fi +-as_executable_p=$as_test_x ++as_test_x='test -x' ++as_executable_p=as_fn_executable_p + + # Sed expression to map a string onto a valid CPP name. + as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +@@ -742,6 +762,7 @@ infodir + docdir + oldincludedir + includedir ++runstatedir + localstatedir + sharedstatedir + sysconfdir +@@ -841,6 +862,7 @@ datadir='${datarootdir}' + sysconfdir='${prefix}/etc' + sharedstatedir='${prefix}/com' + localstatedir='${prefix}/var' ++runstatedir='${localstatedir}/run' + includedir='${prefix}/include' + oldincludedir='/usr/include' + docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +@@ -1093,6 +1115,15 @@ do + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + ++ -runstatedir | --runstatedir | --runstatedi | --runstated \ ++ | --runstate | --runstat | --runsta | --runst | --runs \ ++ | --run | --ru | --r) ++ ac_prev=runstatedir ;; ++ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ ++ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ ++ | --run=* | --ru=* | --r=*) ++ runstatedir=$ac_optarg ;; ++ + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +@@ -1230,7 +1261,7 @@ fi + for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir ++ libdir localedir mandir runstatedir + do + eval ac_val=\$$ac_var + # Remove trailing slashes. +@@ -1258,8 +1289,6 @@ target=$target_alias + if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe +- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. +- If a cross compiler is detected then cross compile mode will be used" >&2 + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +@@ -1385,6 +1414,7 @@ Fine tuning of the installation director + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] ++ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] +@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat + if $ac_init_version; then + cat <<\_ACEOF + fetchmail configure 6.3.26 +-generated by GNU Autoconf 2.68 ++generated by GNU Autoconf 2.69 + +-Copyright (C) 2010 Free Software Foundation, Inc. ++Copyright (C) 2012 Free Software Foundation, Inc. + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + _ACEOF +@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5 + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext ++ test -x conftest$ac_exeext + }; then : + ac_retval=0 + else +@@ -2030,7 +2060,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) >= 0)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2046,7 +2077,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2072,7 +2104,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) < 0)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2088,7 +2121,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) >= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2122,7 +2156,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2195,7 +2230,7 @@ This file contains any messages produced + running configure, to aid debugging if configure makes a mistake. + + It was created by fetchmail $as_me 6.3.26, which was +-generated by GNU Autoconf 2.68. Invocation command line was ++generated by GNU Autoconf 2.69. Invocation command line was + + $ $0 $@ + +@@ -2689,7 +2724,7 @@ case $as_dir/ in #(( + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. +@@ -2858,7 +2893,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -2898,7 +2933,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -2949,7 +2984,7 @@ do + test -z "$as_dir" && as_dir=. + for ac_prog in mkdir gmkdir; do + for ac_exec_ext in '' $ac_executable_extensions; do +- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue ++ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue + case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( + 'mkdir (GNU coreutils) '* | \ + 'mkdir (coreutils) '* | \ +@@ -3002,7 +3037,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3295,7 +3330,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3466,7 +3501,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3512,7 +3547,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3552,7 +3587,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3605,7 +3640,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3646,7 +3681,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue +@@ -3704,7 +3739,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3748,7 +3783,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ + /* end confdefs.h. */ + #include + #include +-#include +-#include ++struct stat; + /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ + struct buf { int x; }; + FILE * (*rcsopen) (struct buf *, struct stat *, int); +@@ -4751,7 +4785,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4791,7 +4825,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4859,7 +4893,7 @@ do + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" +- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue ++ as_fn_executable_p "$ac_path_GREP" || continue + # Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP + case `"$ac_path_GREP" --version 2>&1` in +@@ -4925,7 +4959,7 @@ do + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" +- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue ++ as_fn_executable_p "$ac_path_EGREP" || continue + # Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP + case `"$ac_path_EGREP" --version 2>&1` in +@@ -5132,8 +5166,8 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + +-# define __EXTENSIONS__ 1 +- $ac_includes_default ++# define __EXTENSIONS__ 1 ++ $ac_includes_default + int + main () + { +@@ -5513,11 +5547,11 @@ else + int + main () + { +-/* FIXME: Include the comments suggested by Paul. */ ++ + #ifndef __cplusplus +- /* Ultrix mips cc rejects this. */ ++ /* Ultrix mips cc rejects this sort of thing. */ + typedef int charset[2]; +- const charset cs; ++ const charset cs = { 0, 0 }; + /* SunOS 4.1.1 cc rejects this. */ + char const *const *pcpcc; + char **ppc; +@@ -5534,8 +5568,9 @@ main () + ++pcpcc; + ppc = (char**) pcpcc; + pcpcc = (char const *const *) ppc; +- { /* SCO 3.2v4 cc rejects this. */ +- char *t; ++ { /* SCO 3.2v4 cc rejects this sort of thing. */ ++ char tx; ++ char *t = &tx; + char const *s = 0 ? (char *) 0 : (char const *) 0; + + *t++ = 0; +@@ -5551,10 +5586,10 @@ main () + iptr p = 0; + ++p; + } +- { /* AIX XL C 1.02.0.0 rejects this saying ++ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying + "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ +- struct s { int j; const int *ap[3]; }; +- struct s *b; b->j = 5; ++ struct s { int j; const int *ap[3]; } bx; ++ struct s *b = &bx; b->j = 5; + } + { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ + const int foo = 10; +@@ -5600,7 +5635,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_LEX="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -5632,7 +5667,8 @@ a { ECHO; } + b { REJECT; } + c { yymore (); } + d { yyless (1); } +-e { yyless (input () != 0); } ++e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ ++ yyless ((input () != 0)); } + f { unput (yytext[0]); } + . { BEGIN INITIAL; } + %% +@@ -5792,7 +5828,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_YACC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -6044,7 +6080,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8548,7 +8584,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8590,7 +8626,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8632,7 +8668,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r + fi + + case "$LIBS" in *-lssl*) +- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include ++ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include + " +-if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then : ++if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : + ac_have_decl=1 + else + ac_have_decl=0 + fi + + cat >>confdefs.h <<_ACEOF +-#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl ++#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl + _ACEOF + + ;; +@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -p'. ++ # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file + rmdir conf$$.dir 2>/dev/null +@@ -11403,28 +11439,16 @@ else + as_mkdir_p=false + fi + +-if test -x / >/dev/null 2>&1; then +- as_test_x='test -x' +-else +- if ls -dL / >/dev/null 2>&1; then +- as_ls_L_option=L +- else +- as_ls_L_option= +- fi +- as_test_x=' +- eval sh -c '\'' +- if test -d "$1"; then +- test -d "$1/."; +- else +- case $1 in #( +- -*)set "./$1";; +- esac; +- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( +- ???[sx]*):;;*)false;;esac;fi +- '\'' sh +- ' +-fi +-as_executable_p=$as_test_x ++ ++# as_fn_executable_p FILE ++# ----------------------- ++# Test if FILE is an executable regular file. ++as_fn_executable_p () ++{ ++ test -f "$1" && test -x "$1" ++} # as_fn_executable_p ++as_test_x='test -x' ++as_executable_p=as_fn_executable_p + + # Sed expression to map a string onto a valid CPP name. + as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri + # values after options handling. + ac_log=" + This file was extended by fetchmail $as_me 6.3.26, which was +-generated by GNU Autoconf 2.68. Invocation command line was ++generated by GNU Autoconf 2.69. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS +@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ + ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" + ac_cs_version="\\ + fetchmail config.status 6.3.26 +-configured by $0, generated by GNU Autoconf 2.68, ++configured by $0, generated by GNU Autoconf 2.69, + with options \\"\$ac_cs_config\\" + +-Copyright (C) 2010 Free Software Foundation, Inc. ++Copyright (C) 2012 Free Software Foundation, Inc. + This config.status script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it." + +@@ -11606,7 +11630,7 @@ fi + _ACEOF + cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + if \$ac_cs_recheck; then +- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion ++ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' +--- fetchmail-6.3.26.orig/configure.ac ++++ fetchmail-6.3.26/configure.ac +@@ -802,7 +802,7 @@ else + fi + + case "$LIBS" in *-lssl*) +- AC_CHECK_DECLS([SSLv2_client_method],,,[#include ]) ++ AC_CHECK_DECLS([SSLv3_client_method],,,[#include ]) + ;; + esac + +--- fetchmail-6.3.26.orig/fetchmail-FAQ.html ++++ fetchmail-6.3.26/fetchmail-FAQ.html +@@ -667,8 +667,8 @@ because there is not currently a standar + also uses this method, so the two will interoperate happily. They + better, because this is how Craig gets his mail ;-)

+ +-

Finally, you can use SSL for complete +-end-to-end encryption if you have an SSL-enabled mailserver.

++

Finally, you can use SSL or TLS for complete ++end-to-end encryption if you have a TLS-enabled mailserver.

+ +

G11. Is any special configuration needed + to use a dynamic IP address?

+@@ -2120,7 +2120,7 @@ SSL? + +

You'll need to have the OpenSSL libraries installed, and they +-should at least be version 0.9.7. ++should at least be version 0.9.8, with 1.0.1 preferred. + Configure with --with-ssl. If you have the OpenSSL libraries + installed in commonly-used default locations, this will + suffice. If you have them installed in a non-default location, +@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.

+

Fetchmail binaries built this way support ssl, + sslkey, and sslcert options that control + SSL encryption, and will automatically use tls if the +-server offers it. You will need to have an SSL-enabled mailserver to ++server offers it. You will need to have an SSL/TLS-enabled mailserver to + use these options. See the manual page for details and some words + of care on the limited security provided.

+ +@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s + protocol imap username MYUSERNAME password MYPASSWORD + + +-

You should note that SSL is only secure against a "man-in-the-middle" +-attack if the client is able to verify that the peer's public key is the +-correct one, and has not been substituted by an attacker. fetchmail can do +-this in one of two ways: by verifying the SSL certificate, or by checking +-the fingerprint of the peer's public key.

++

You should note that SSL or TLS are only secure against a ++"man-in-the-middle" attack if the client is able to verify that the ++peer's public key is the correct one, and has not been substituted by an ++attacker. fetchmail can do this in one of two ways: by verifying the SSL ++certificate, or by checking the fingerprint of the peer's public ++key.

+ +-

There are three parts to SSL certificate verification: checking that the ++

There are three parts to TLS certificate verification: checking that the + domain name in the certificate matches the hostname you asked to connect to; + checking that the certificate expiry date has not passed; and checking that + the certificate has been signed by a known Certificate Authority (CA). This +@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati + time. This can however cause problems if the upstream didn't configure + his certificates properly.

+ +-

In order to prevent fetchmail from trying TLS (STLS, STARTTLS) +-negotiation, add this option:

++

In order to prevent fetchmail 6.4.0 and newer versions from trying ++STLS or STARTTLS negotiation, add this option:

++
sslproto ''
++ ++

In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS) ++negotiation where the above does not work, try this option:

+ +
sslproto ssl23
+ +@@ -2876,15 +2881,22 @@ need to say something like 'envelo + +
+ Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
+-    by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
+-    for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700
++    by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
++    for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700
+ 
+ +-

it checks to see if 'iserv.ttns.net' is a DNS alias of your +-mailserver before accepting 'ksturgeon@fbceg.org' as an envelope ++

it checks to see if 'iserv.example.net' is a DNS alias of your ++mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope + address. This check might fail if your DNS were misconfigured, or +-if you were using 'no dns' and had failed to declare iserv.ttns.net +-as an alias of your server.

++if you were using 'no dns' and had failed to declare iserv.example.net ++as an alias of your server. The typical hint is logging similar to: ++line rejected, iserv.example.net is not an alias of the mailserver, ++if you use fetchmail in verbose mode.

++ ++

Workaround: You can specify the alias explicitly, with aka ++ iserv.example.net statements in the rcfile. Replace ++iserv.example.net by the name you find in your ++'by' part of the 'Received:' line.

+ +

M8. Users are getting multiple copies of + messages.

+@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".

+

X8. A spurious ) is being appended to my + messages.

+ ++

Fetchmail 6.3.5 and newer releases are supposed to fix this.

++ +

Due to the problem described in S2, the + IMAP support in fetchmail cannot follow the IMAP protocol 100 %. + Most of the time it doesn't matter, but if you combine it with an +@@ -3279,8 +3293,6 @@ it at the end of the message it forwards + on, you'll get a message about actual != expected. + + +-

There is no fix for this.

+- +

X9. Missing "Content-Transfer-Encoding" header + with Domino IMAP

+ +--- fetchmail-6.3.26.orig/fetchmail.c ++++ fetchmail-6.3.26/fetchmail.c +@@ -54,6 +54,10 @@ + #define ENETUNREACH 128 /* Interactive doesn't know this */ + #endif /* ENETUNREACH */ + ++#ifdef SSL_ENABLE ++#include /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ ++#endif ++ + /* prototypes for internal functions */ + static int load_params(int, char **, int); + static void dump_params (struct runctl *runp, struct query *, flag implicit); +@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) { + "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n" + " Robert M. Funk, Graham Wilson\n" + "Copyright (C) 2005 - 2012 Sunil Shetye\n" +- "Copyright (C) 2005 - 2013 Matthias Andree\n" ++ "Copyright (C) 2005 - 2015 Matthias Andree\n" + )); + fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n" + "are welcome to redistribute it under certain conditions. For details,\n" +@@ -262,6 +266,9 @@ int main(int argc, char **argv) + #endif /* ODMR_ENABLE */ + #ifdef SSL_ENABLE + "+SSL" ++#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) ++ "-SSLv3" ++#endif + #endif + #ifdef OPIE_ENABLE + "+OPIE" +--- fetchmail-6.3.26.orig/fetchmail.h ++++ fetchmail-6.3.26/fetchmail.h +@@ -771,9 +771,9 @@ int servport(const char *service); + int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); + void fm_freeaddrinfo(struct addrinfo *ai); + +-/* prototypes from tls.c */ +-int maybe_tls(struct query *ctl); +-int must_tls(struct query *ctl); ++/* prototypes from starttls.c */ ++int maybe_starttls(struct query *ctl); ++int must_starttls(struct query *ctl); + + /* prototype from rfc822valid.c */ + int rfc822_valid_msgid(const unsigned char *); +--- fetchmail-6.3.26.orig/fetchmail.man ++++ fetchmail-6.3.26/fetchmail.man +@@ -412,23 +412,22 @@ from. The folder information is written + .B \-\-ssl + (Keyword: ssl) + .br +-Causes the connection to the mail server to be encrypted +-via SSL. Connect to the server using the specified base protocol over a +-connection secured by SSL. This option defeats opportunistic starttls +-negotiation. It is highly recommended to use \-\-sslproto 'SSL3' +-\-\-sslcertck to validate the certificates presented by the server and +-defeat the obsolete SSLv2 negotiation. More information is available in +-the \fIREADME.SSL\fP file that ships with fetchmail. +-.IP +-Note that fetchmail may still try to negotiate SSL through starttls even +-if this option is omitted. You can use the \-\-sslproto option to defeat +-this behavior or tell fetchmail to negotiate a particular SSL protocol. ++Causes the connection to the mail server to be encrypted via SSL, by ++negotiating SSL directly after connecting (SSL-wrapped mode). It is ++highly recommended to use \-\-sslcertck to validate the certificates ++presented by the server. Please see the description of \-\-sslproto ++below! More information is available in the \fIREADME.SSL\fP file that ++ships with fetchmail. ++.IP ++Note that even if this option is omitted, fetchmail may still negotiate ++SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You ++can use the \-\-sslproto option to modify that behavior. + .IP + If no port is specified, the connection is attempted to the well known + port of the SSL version of the base protocol. This is generally a + different port than the port used by the base protocol. For IMAP, this + is port 143 for the clear protocol and port 993 for the SSL secured +-protocol, for POP3, it is port 110 for the clear text and port 995 for ++protocol; for POP3, it is port 110 for the clear text and port 995 for + the encrypted variant. + .IP + If your system lacks the corresponding entries from /etc/services, see +@@ -470,39 +469,73 @@ cause some complications in daemon mode. + .IP + Also see \-\-sslcert above. + .TP +-.B \-\-sslproto +-(Keyword: sslproto) ++.B \-\-sslproto ++(Keyword: sslproto, NOTE: semantic changes since v6.4.0) + .br +-Forces an SSL/TLS protocol. Possible values are \fB''\fP, +-\&'\fBSSL2\fP' (not supported on all systems), +-\&'\fBSSL23\fP', (use of these two values is discouraged +-and should only be used as a last resort) \&'\fBSSL3\fP', and +-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for +-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will +-opportunistically try STARTTLS negotiation with TLS1. You can configure +-this option explicitly if the default handshake (TLS1 if \-\-ssl is not +-used) does not work for your server. +-.IP +-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS +-connection. In this mode, it is highly recommended to also use +-\-\-sslcertck (see below). Note that this will then cause fetchmail +-v6.3.19 to force STARTTLS negotiation even if it is not advertised by +-the server. +-.IP +-To defeat opportunistic TLSv1 negotiation when the server advertises +-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This +-option, even if the argument is the empty string, will also suppress the +-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose +-mode. The default is to try appropriate protocols depending on context. ++This option has a dual use, out of historic fetchmail behaviour. It ++controls both the SSL/TLS protocol version and, if \-\-ssl is not ++specified, the STARTTLS behaviour (upgrading the protocol to an SSL or ++TLS connection in-band). Some other options may however make TLS ++mandatory. ++.PP ++Only if this option and \-\-ssl are both missing for a poll, there will ++be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to ++upgrade to TLSv1 or newer. ++.PP ++Recognized values for \-\-sslproto are given below. You should normally ++chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of ++the options ending in a plus (\fB+\fP) character. Note that depending ++on OpenSSL library version and configuration, some options cause ++run-time errors because the requested SSL or TLS versions are not ++supported by the particular installed OpenSSL library. ++.RS ++.IP "\fB''\fP, the empty string" ++Disable STARTTLS. If \-\-ssl is given for the same server, log an error ++and pretend that '\fBauto\fP' had been used instead. ++.IP '\fBauto\fP' ++(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. ++(fetchmail 6.3.26 and older have auto-negotiated all protocols that ++their OpenSSL library supported, including the broken SSLv3). ++.IP "\&'\fBSSL23\fP' ++see '\fBauto\fP'. ++.IP \&'\fBSSL3\fP' ++Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it ++if possible. This will make fetchmail negotiate SSLv3 only, and is the ++only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3. ++.IP \&'\fBSSL3+\fP' ++same as '\fBauto\fP', but permit SSLv3 as well. This is the only way ++besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3. ++.IP \&'\fBTLS1\fP' ++Require TLSv1. This does not negotiate TLSv1.1 or newer, and is ++discouraged. Replace by TLS1+ unless the latter chokes your server. ++.IP \&'\fBTLS1+\fP' ++Since v6.4.0. See 'fBauto\fP'. ++.IP \&'\fBTLS1.1\fP' ++Since v6.4.0. Require TLS v1.1 exactly. ++.IP \&'\fBTLS1.1+\fP' ++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer. ++.IP \&'\fBTLS1.2\fP' ++Since v6.4.0. Require TLS v1.2 exactly. ++.IP '\fBTLS1.2+\fP' ++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer. ++.IP "Unrecognized parameters" ++are treated the same as '\fBauto\fP'. ++.RE ++.IP ++NOTE: you should hardly ever need to use anything other than '' (to ++force an unencrypted connection) or 'auto' (to enforce TLS). + .TP + .B \-\-sslcertck + (Keyword: sslcertck) + .br +-Causes fetchmail to strictly check the server certificate against a set of +-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP +-options). If the server certificate cannot be obtained or is not signed by one +-of the trusted ones (directly or indirectly), the SSL connection will fail, +-regardless of the \fBsslfingerprint\fP option. ++Causes fetchmail to require that SSL/TLS be used and disconnect if it ++can not successfully negotiate SSL or TLS, or if it cannot successfully ++verify and validate the certificate and follow it to a trust anchor (or ++trusted root certificate). The trust anchors are given as a set of local ++trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP ++options). If the server certificate cannot be obtained or is not signed ++by one of the trusted ones (directly or indirectly), fetchmail will ++disconnect, regardless of the \fBsslfingerprint\fP option. + .IP + Note that CRL (certificate revocation lists) are only supported in + OpenSSL 0.9.7 and newer! Your system clock should also be reasonably +@@ -1202,31 +1235,33 @@ capability response. Specify a user opti + username and the part to the right as the NTLM domain. + + .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) ++.PP All retrieval protocols can use SSL or TLS wrapping for the ++transport. Additionally, POP3 and IMAP retrival can also negotiate ++SSL/TLS by means of STARTTLS (or STLS). + .PP + Note that fetchmail currently uses the OpenSSL library, which is + severely underdocumented, so failures may occur just because the + programmers are not aware of OpenSSL's requirement of the day. + For instance, since v6.3.16, fetchmail calls + OpenSSL_add_all_algorithms(), which is necessary to support certificates +-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the +-documentation and not at all obvious. Please do not hesitate to report +-subtle SSL failures. +-.PP +-You can access SSL encrypted services by specifying the \-\-ssl option. +-You can also do this using the "ssl" user option in the .fetchmailrc +-file. With SSL encryption enabled, queries are initiated over a +-connection after negotiating an SSL session, and the connection fails if +-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have ++using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in ++the documentation and not at all obvious. Please do not hesitate to ++report subtle SSL failures. ++.PP ++You can access SSL encrypted services by specifying the options starting ++with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. ++You can also do this using the corresponding user options in the .fetchmailrc ++file. Some services, such as POP3 and IMAP, have + different well known ports defined for the SSL encrypted services. The + encrypted ports will be selected automatically when SSL is enabled and +-no explicit port is specified. The \-\-sslproto 'SSL3' option should be +-used to select the SSLv3 protocol (default if unset: v2 or v3). Also, +-the \-\-sslcertck command line or sslcertck run control file option +-should be used to force strict certificate checking - see below. ++no explicit port is specified. Also, the \-\-sslcertck command line or ++sslcertck run control file option should be used to force strict ++certificate checking - see below. + .PP + If SSL is not configured, fetchmail will usually opportunistically try to use +-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS +-connections use the same port as the unencrypted version of the ++STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and ++defeated by using \-\-sslproto\~''. ++TLS connections use the same port as the unencrypted version of the + protocol and negotiate TLS via special command. The \-\-sslcertck + command line or sslcertck run control file option should be used to + force strict certificate checking - see below. +--- fetchmail-6.3.26.orig/imap.c ++++ fetchmail-6.3.26/imap.c +@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct + /* apply for connection authorization */ + { + int ok = 0; ++ char *commonname; ++ + (void)greeting; + + /* +@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct + return(PS_SUCCESS); + } + +-#ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; +- +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- if (strstr(capabilities, "STARTTLS") +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++#ifdef SSL_ENABLE ++ if (maybe_starttls(ctl)) { ++ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) ++ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STARTTLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct + /* Usable. Proceed with authenticating insecurely. */ + } + } ++ } else { ++ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); ++ } + } + #endif /* SSL_ENABLE */ + +--- fetchmail-6.3.26.orig/po/Makevars ++++ fetchmail-6.3.26/po/Makevars +@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis + # This is the list of locale categories, beyond LC_MESSAGES, for which the + # message catalogs shall be used. It is usually empty. + EXTRA_LOCALE_CATEGORIES = ++ ++# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt' ++# context. Possible values are "yes" and "no". Set this to yes if the ++# package uses functions taking also a message context, like pgettext(), or ++# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument. ++USE_MSGCTXT = no ++ ++# These options get passed to msgmerge. ++# Useful options are in particular: ++# --previous to keep previous msgids of translated messages, ++# --quiet to reduce the verbosity. ++MSGMERGE_OPTIONS = +--- fetchmail-6.3.26.orig/pop3.c ++++ fetchmail-6.3.26/pop3.c +@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct + #endif /* OPIE_ENABLE */ + #ifdef SSL_ENABLE + flag connection_may_have_tls_errors = FALSE; ++ char *commonname; + #endif /* SSL_ENABLE */ + + done_capa = FALSE; +@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct + (ctl->server.authenticate == A_KERBEROS_V5) || + (ctl->server.authenticate == A_OTP) || + (ctl->server.authenticate == A_CRAM_MD5) || +- maybe_tls(ctl)) ++ maybe_starttls(ctl)) + { + if ((ok = capa_probe(sock)) != PS_SUCCESS) + /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ +@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct + (ok == PS_SOCKET && !ctl->wehaveauthed)) + { + #ifdef SSL_ENABLE +- if (must_tls(ctl)) { ++ if (must_starttls(ctl)) { + /* fail with mandatory STLS without repoll */ + report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); + report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); + return ok; +- } else if (maybe_tls(ctl)) { ++ } else if (maybe_starttls(ctl)) { + /* defeat opportunistic STLS */ + xfree(ctl->sslproto); + ctl->sslproto = xstrdup(""); +@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct + } + + #ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; +- +- if (has_stls +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++ if (maybe_starttls(ctl)) { ++ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct + } + } + } +- } /* maybe_tls() */ ++ } else { /* maybe_starttls() */ ++ if (has_stls && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); ++ } ++ } /* maybe_starttls() */ + #endif /* SSL_ENABLE */ + + /* +--- fetchmail-6.3.26.orig/socket.c ++++ fetchmail-6.3.26/socket.c +@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char + { + struct stat randstat; + int i; ++ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long sslopts = SSL_OP_ALL; ++ int ssle_connect = 0; + + SSL_load_error_strings(); + SSL_library_init(); +@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char + /* Make sure a connection referring to an older context is not left */ + _ssl_context[sock] = NULL; + if(myproto) { +- if(!strcasecmp("ssl2",myproto)) { +-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 +- _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); ++ if(!strcasecmp("ssl3",myproto)) { ++#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) ++ _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; + #else +- report(stderr, GT_("Your operating system does not support SSLv2.\n")); ++ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); + return -1; + #endif +- } else if(!strcasecmp("ssl3",myproto)) { +- _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); ++ } else if(!strcasecmp("ssl3+",myproto)) { ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; ++ myproto = NULL; + } else if(!strcasecmp("tls1",myproto)) { + _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); +- } else if (!strcasecmp("ssl23",myproto)) { ++ } else if(!strcasecmp("tls1+",myproto)) { ++ myproto = NULL; ++#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION ++ } else if(!strcasecmp("tls1.1",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); ++ } else if(!strcasecmp("tls1.1+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++#else ++ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); ++ return -1; ++#endif ++#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION ++ } else if(!strcasecmp("tls1.2",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); ++ } else if(!strcasecmp("tls1.2+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; ++#else ++ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); ++ return -1; ++#endif ++ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { + myproto = NULL; + } else { +- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); ++ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); + myproto = NULL; + } + } +- if(!myproto) { ++ // do not combine into an else { } as myproto may be nulled ++ // above! ++ if (!myproto) { ++ // SSLv23 is a misnomer and will in fact use the best ++ // available protocol, subject to SSL_OP_NO* ++ // constraints. + _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); + } + if(_ctx[sock] == NULL) { +@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char + sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + +- SSL_CTX_set_options(_ctx[sock], sslopts); ++ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); + + if (certck) { + SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); +@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char + } + + if (SSL_set_fd(_ssl_context[sock], sock) == 0 +- || SSL_connect(_ssl_context[sock]) < 1) { ++ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { ++ int e = errno; ++ unsigned long ssle_err_from_queue = ERR_peek_error(); ++ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect); + ERR_print_errors_fp(stderr); ++ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) { ++ if (0 == ssle_connect) { ++ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n")); ++ } else if (ssle_connect < 0) { ++ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e)); ++ } ++ } + SSL_free( _ssl_context[sock] ); + _ssl_context[sock] = NULL; + SSL_CTX_free(_ctx[sock]); +@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char + return(-1); + } + ++ if (outlevel >= O_VERBOSE) { ++ SSL_CIPHER const *sc; ++ int bitsmax, bitsused; ++ ++ const char *ver; ++ ++ ver = SSL_get_version(_ssl_context[sock]); ++ ++ sc = SSL_get_current_cipher(_ssl_context[sock]); ++ if (!sc) { ++ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); ++ } else { ++ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); ++ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), ++ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); ++ } ++ } ++ + /* Paranoia: was the callback not called as we expected? */ + if (!_depth0ck) { + report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); +--- /dev/null ++++ fetchmail-6.3.26/starttls.c +@@ -0,0 +1,37 @@ ++/** \file tls.c - collect common TLS functionality ++ * \author Matthias Andree ++ * \date 2006 ++ */ ++ ++#include "fetchmail.h" ++ ++#include ++ ++#ifdef HAVE_STRINGS_H ++#include ++#endif ++ ++/** return true if user allowed opportunistic STARTTLS/STLS */ ++int maybe_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ /* opportunistic or forced TLS */ ++ return (!ctl->sslproto || strlen(ctl->sslproto)) ++ && !ctl->use_ssl; ++#else ++ (void)ctl; ++ return 0; ++#endif ++} ++ ++/** return true if user requires STARTTLS/STLS, note though that this ++ * code must always use a logical AND with maybe_tls(). */ ++int must_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ return maybe_starttls(ctl) ++ && (ctl->sslfingerprint || ctl->sslcertck ++ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); ++#else ++ (void)ctl; ++ return 0; ++#endif ++} diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb index 1d78288c88..5af5d0df62 100644 --- a/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb +++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.3.26.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c" DEPENDS = "openssl" -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz" +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ + file://02_remove_SSLv3.patch \ + " SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3" SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850"