new file mode 100644
@@ -0,0 +1,1576 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ fetchmail (6.3.26-2) unstable; urgency=low
+ .
+ * New maintainer (closes: #800750).
+ * Backport upstream fix for SSLv3 removal (closes: #804604) and do not
+ recommend SSLv3 (closes: #801178).
+ * Remove quilt and its usage.
+ * Add dh-python to build depends.
+ * Update upstream URLs.
+ * Update watch file.
+ * Update Standards-Version to 3.9.6 .
+Author: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Bug-Debian: https://bugs.debian.org/800750
+Bug-Debian: https://bugs.debian.org/801178
+Bug-Debian: https://bugs.debian.org/804604
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- fetchmail-6.3.26.orig/Makefile.am
++++ fetchmail-6.3.26/Makefile.am
+@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8
+ servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ libesmtp/gethostbyname.h libesmtp/gethostbyname.c \
+- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \
++ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
+ xmalloc.h sdump.h sdump.c x509_name_match.c \
+ fm_strl.h md5c.c
+ if NTLM_ENABLE
+--- fetchmail-6.3.26.orig/Makefile.in
++++ fetchmail-6.3.26/Makefile.in
+@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
+ rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
+- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ x509_name_match.c fm_strl.h md5c.c ntlmsubr.c
+ @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT)
+ am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \
+ rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \
+ servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \
+ smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \
+- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \
++ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \
+ sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \
+ $(am__objects_1)
+ libfm_a_OBJECTS = $(am_libfm_a_OBJECTS)
+@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc
+ servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
+ smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
+ libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
+- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ x509_name_match.c fm_strl.h md5c.c $(am__append_1)
+ libfm_a_LIBADD = $(EXTRAOBJ)
+ libfm_a_DEPENDENCIES = $(EXTRAOBJ)
+--- fetchmail-6.3.26.orig/NEWS
++++ fetchmail-6.3.26/NEWS
+@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.)
+ * The --bsmtp - mode of operation may be removed in a future release.
+ * Given that OpenSSL is severely underdocumented, and needs license exceptions,
+ fetchmail may switch to a different SSL library.
+-* SSLv2 support will be removed from a future fetchmail release. It has been
+- obsolete for more than a decade.
+
+ --------------------------------------------------------------------------------
+
+--- fetchmail-6.3.26.orig/README.SSL
++++ fetchmail-6.3.26/README.SSL
+@@ -11,36 +11,45 @@ specific to fetchmail.
+ In case of troubles, mail the README.SSL-SERVER file to your ISP and
+ have them check their server configuration against it.
+
+-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether
+-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is
+-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot
+-be fixed in a bugfix release.
++Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
++service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
++or is totally SSL-wrapped on a separate port. For compatibility
++reasons, this cannot be fixed in a bugfix or minor release.
++
++Also, fetchmail 6.4.0 and newer releases changed some of the semantics
++as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
++If your server does not support this, you may have to specify --sslproto
++ssl3. This is in order to prefer the newer TLS protocols, because SSLv2
++and v3 are broken.
+
+- -- Matthias Andree, 2009-05-09
++ -- Matthias Andree, 2015-01-16
+
+
+ Quickstart
+ ----------
+
++Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
++TLSv1.2 support.
++
+ For use of SSL or TLS with in-band negotiation on the regular service's port,
+ i. e. with STLS or STARTTLS, use these command line options
+
+- --sslproto tls1 --sslcertck
++ --sslproto auto --sslcertck
+
+ or these options in the rcfile (after the respective "user"... options)
+
+- sslproto tls1 sslcertck
++ sslproto auto sslcertck
+
+
+ For use of SSL or TLS on a separate port, if the whole TCP connection is
+-SSL-encrypted from the very beginning, use these command line options (in the
+-rcfile, omit all leading "--"):
++SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
++command line options (in the rcfile, omit all leading "--"):
+
+- --ssl --sslproto ssl3 --sslcertck
++ --ssl --sslproto auto --sslcertck
+
+ or these options in the rcfile (after the respective "user"... options)
+
+- ssl sslproto ssl3 sslcertck
++ ssl sslproto auto sslcertck
+
+
+ Background and use (long version :-))
+--- fetchmail-6.3.26.orig/config.h.in
++++ fetchmail-6.3.26/config.h.in
+@@ -49,9 +49,9 @@
+ don't. */
+ #undef HAVE_DECL_H_ERRNO
+
+-/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0
++/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0
+ if you don't. */
+-#undef HAVE_DECL_SSLV2_CLIENT_METHOD
++#undef HAVE_DECL_SSLV3_CLIENT_METHOD
+
+ /* Define to 1 if you have the declaration of `strerror', and to 0 if you
+ don't. */
+--- fetchmail-6.3.26.orig/configure
++++ fetchmail-6.3.26/configure
+@@ -1,13 +1,11 @@
+ #! /bin/sh
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26.
++# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26.
+ #
+ # Report bugs to <fetchmail-users@lists.berlios.de>.
+ #
+ #
+-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
+-# Foundation, Inc.
++# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
+ #
+ #
+ # This configure script is free software; the Free Software Foundation
+@@ -136,6 +134,31 @@ export LANGUAGE
+ # CDPATH.
+ (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
++# Use a proper internal environment variable to ensure we don't fall
++ # into an infinite loop, continuously re-executing ourselves.
++ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
++ _as_can_reexec=no; export _as_can_reexec;
++ # We cannot yet assume a decent shell, so we have to provide a
++# neutralization value for shells without unset; and this also
++# works around shells that cannot unset nonexistent variables.
++# Preserve -v and -x to the replacement shell.
++BASH_ENV=/dev/null
++ENV=/dev/null
++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++case $- in # ((((
++ *v*x* | *x*v* ) as_opts=-vx ;;
++ *v* ) as_opts=-v ;;
++ *x* ) as_opts=-x ;;
++ * ) as_opts= ;;
++esac
++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
++# Admittedly, this is quite paranoid, since all the known shells bail
++# out after a failed `exec'.
++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
++as_fn_exit 255
++ fi
++ # We don't want this to propagate to other subprocesses.
++ { _as_can_reexec=; unset _as_can_reexec;}
+ if test "x$CONFIG_SHELL" = x; then
+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
+ emulate sh
+@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test
+ else
+ exitcode=1; echo positional parameters were not saved.
+ fi
+-test x\$exitcode = x0 || exit 1"
++test x\$exitcode = x0 || exit 1
++test -x / || exit 1"
+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
+@@ -214,21 +238,25 @@ IFS=$as_save_IFS
+
+
+ if test "x$CONFIG_SHELL" != x; then :
+- # We cannot yet assume a decent shell, so we have to provide a
+- # neutralization value for shells without unset; and this also
+- # works around shells that cannot unset nonexistent variables.
+- # Preserve -v and -x to the replacement shell.
+- BASH_ENV=/dev/null
+- ENV=/dev/null
+- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+- export CONFIG_SHELL
+- case $- in # ((((
+- *v*x* | *x*v* ) as_opts=-vx ;;
+- *v* ) as_opts=-v ;;
+- *x* ) as_opts=-x ;;
+- * ) as_opts= ;;
+- esac
+- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"}
++ export CONFIG_SHELL
++ # We cannot yet assume a decent shell, so we have to provide a
++# neutralization value for shells without unset; and this also
++# works around shells that cannot unset nonexistent variables.
++# Preserve -v and -x to the replacement shell.
++BASH_ENV=/dev/null
++ENV=/dev/null
++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
++case $- in # ((((
++ *v*x* | *x*v* ) as_opts=-vx ;;
++ *v* ) as_opts=-v ;;
++ *x* ) as_opts=-x ;;
++ * ) as_opts= ;;
++esac
++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
++# Admittedly, this is quite paranoid, since all the known shells bail
++# out after a failed `exec'.
++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
++exit 255
+ fi
+
+ if test x$as_have_required = xno; then :
+@@ -331,6 +359,14 @@ $as_echo X"$as_dir" |
+
+
+ } # as_fn_mkdir_p
++
++# as_fn_executable_p FILE
++# -----------------------
++# Test if FILE is an executable regular file.
++as_fn_executable_p ()
++{
++ test -f "$1" && test -x "$1"
++} # as_fn_executable_p
+ # as_fn_append VAR VALUE
+ # ----------------------
+ # Append the text in VALUE to the end of the definition contained in VAR. Take
+@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits
+ chmod +x "$as_me.lineno" ||
+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+
++ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
++ # already done that, so ensure we don't try to do so again and fall
++ # in an infinite loop. This has already happened in practice.
++ _as_can_reexec=no; export _as_can_reexec
+ # Don't try to exec as it changes $[0], causing all sort of problems
+ # (the dirname of $[0] is not the place where we might find the
+ # original and so on. Autoconf is especially sensitive to this).
+@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+- # In both cases, we have to default to `cp -p'.
++ # In both cases, we have to default to `cp -pR'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ fi
+ else
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+@@ -507,28 +547,8 @@ else
+ as_mkdir_p=false
+ fi
+
+-if test -x / >/dev/null 2>&1; then
+- as_test_x='test -x'
+-else
+- if ls -dL / >/dev/null 2>&1; then
+- as_ls_L_option=L
+- else
+- as_ls_L_option=
+- fi
+- as_test_x='
+- eval sh -c '\''
+- if test -d "$1"; then
+- test -d "$1/.";
+- else
+- case $1 in #(
+- -*)set "./$1";;
+- esac;
+- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+- ???[sx]*):;;*)false;;esac;fi
+- '\'' sh
+- '
+-fi
+-as_executable_p=$as_test_x
++as_test_x='test -x'
++as_executable_p=as_fn_executable_p
+
+ # Sed expression to map a string onto a valid CPP name.
+ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+@@ -742,6 +762,7 @@ infodir
+ docdir
+ oldincludedir
+ includedir
++runstatedir
+ localstatedir
+ sharedstatedir
+ sysconfdir
+@@ -841,6 +862,7 @@ datadir='${datarootdir}'
+ sysconfdir='${prefix}/etc'
+ sharedstatedir='${prefix}/com'
+ localstatedir='${prefix}/var'
++runstatedir='${localstatedir}/run'
+ includedir='${prefix}/include'
+ oldincludedir='/usr/include'
+ docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+@@ -1093,6 +1115,15 @@ do
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
++ -runstatedir | --runstatedir | --runstatedi | --runstated \
++ | --runstate | --runstat | --runsta | --runst | --runs \
++ | --run | --ru | --r)
++ ac_prev=runstatedir ;;
++ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
++ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
++ | --run=* | --ru=* | --r=*)
++ runstatedir=$ac_optarg ;;
++
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+@@ -1230,7 +1261,7 @@ fi
+ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+- libdir localedir mandir
++ libdir localedir mandir runstatedir
+ do
+ eval ac_val=\$$ac_var
+ # Remove trailing slashes.
+@@ -1258,8 +1289,6 @@ target=$target_alias
+ if test "x$host_alias" != x; then
+ if test "x$build_alias" = x; then
+ cross_compiling=maybe
+- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
+- If a cross compiler is detected then cross compile mode will be used" >&2
+ elif test "x$build_alias" != "x$host_alias"; then
+ cross_compiling=yes
+ fi
+@@ -1385,6 +1414,7 @@ Fine tuning of the installation director
+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
++ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
+ --libdir=DIR object code libraries [EPREFIX/lib]
+ --includedir=DIR C header files [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
+@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat
+ if $ac_init_version; then
+ cat <<\_ACEOF
+ fetchmail configure 6.3.26
+-generated by GNU Autoconf 2.68
++generated by GNU Autoconf 2.69
+
+-Copyright (C) 2010 Free Software Foundation, Inc.
++Copyright (C) 2012 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ _ACEOF
+@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+- $as_test_x conftest$ac_exeext
++ test -x conftest$ac_exeext
+ }; then :
+ ac_retval=0
+ else
+@@ -2030,7 +2060,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) >= 0)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+
+ ;
+ return 0;
+@@ -2046,7 +2077,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+
+ ;
+ return 0;
+@@ -2072,7 +2104,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) < 0)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+
+ ;
+ return 0;
+@@ -2088,7 +2121,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) >= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+
+ ;
+ return 0;
+@@ -2122,7 +2156,8 @@ int
+ main ()
+ {
+ static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+-test_array [0] = 0
++test_array [0] = 0;
++return test_array [0];
+
+ ;
+ return 0;
+@@ -2195,7 +2230,7 @@ This file contains any messages produced
+ running configure, to aid debugging if configure makes a mistake.
+
+ It was created by fetchmail $as_me 6.3.26, which was
+-generated by GNU Autoconf 2.68. Invocation command line was
++generated by GNU Autoconf 2.69. Invocation command line was
+
+ $ $0 $@
+
+@@ -2689,7 +2724,7 @@ case $as_dir/ in #((
+ # by default.
+ for ac_prog in ginstall scoinst install; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
+ if test $ac_prog = install &&
+ grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+ # AIX install. It has an incompatible calling convention.
+@@ -2858,7 +2893,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -2898,7 +2933,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_STRIP="strip"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -2949,7 +2984,7 @@ do
+ test -z "$as_dir" && as_dir=.
+ for ac_prog in mkdir gmkdir; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue
++ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue
+ case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #(
+ 'mkdir (GNU coreutils) '* | \
+ 'mkdir (coreutils) '* | \
+@@ -3002,7 +3037,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_AWK="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3295,7 +3330,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3466,7 +3501,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_AWK="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3512,7 +3547,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="${ac_tool_prefix}gcc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3552,7 +3587,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_CC="gcc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3605,7 +3640,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="${ac_tool_prefix}cc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3646,7 +3681,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+@@ -3704,7 +3739,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -3748,7 +3783,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_CC="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
+ /* end confdefs.h. */
+ #include <stdarg.h>
+ #include <stdio.h>
+-#include <sys/types.h>
+-#include <sys/stat.h>
++struct stat;
+ /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
+ struct buf { int x; };
+ FILE * (*rcsopen) (struct buf *, struct stat *, int);
+@@ -4751,7 +4785,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -4791,7 +4825,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_RANLIB="ranlib"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -4859,7 +4893,7 @@ do
+ for ac_prog in grep ggrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
++ as_fn_executable_p "$ac_path_GREP" || continue
+ # Check for GNU ac_path_GREP and select it if it is found.
+ # Check for GNU $ac_path_GREP
+ case `"$ac_path_GREP" --version 2>&1` in
+@@ -4925,7 +4959,7 @@ do
+ for ac_prog in egrep; do
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
++ as_fn_executable_p "$ac_path_EGREP" || continue
+ # Check for GNU ac_path_EGREP and select it if it is found.
+ # Check for GNU $ac_path_EGREP
+ case `"$ac_path_EGREP" --version 2>&1` in
+@@ -5132,8 +5166,8 @@ else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h. */
+
+-# define __EXTENSIONS__ 1
+- $ac_includes_default
++# define __EXTENSIONS__ 1
++ $ac_includes_default
+ int
+ main ()
+ {
+@@ -5513,11 +5547,11 @@ else
+ int
+ main ()
+ {
+-/* FIXME: Include the comments suggested by Paul. */
++
+ #ifndef __cplusplus
+- /* Ultrix mips cc rejects this. */
++ /* Ultrix mips cc rejects this sort of thing. */
+ typedef int charset[2];
+- const charset cs;
++ const charset cs = { 0, 0 };
+ /* SunOS 4.1.1 cc rejects this. */
+ char const *const *pcpcc;
+ char **ppc;
+@@ -5534,8 +5568,9 @@ main ()
+ ++pcpcc;
+ ppc = (char**) pcpcc;
+ pcpcc = (char const *const *) ppc;
+- { /* SCO 3.2v4 cc rejects this. */
+- char *t;
++ { /* SCO 3.2v4 cc rejects this sort of thing. */
++ char tx;
++ char *t = &tx;
+ char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+ *t++ = 0;
+@@ -5551,10 +5586,10 @@ main ()
+ iptr p = 0;
+ ++p;
+ }
+- { /* AIX XL C 1.02.0.0 rejects this saying
++ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying
+ "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+- struct s { int j; const int *ap[3]; };
+- struct s *b; b->j = 5;
++ struct s { int j; const int *ap[3]; } bx;
++ struct s *b = &bx; b->j = 5;
+ }
+ { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+ const int foo = 10;
+@@ -5600,7 +5635,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_LEX="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -5632,7 +5667,8 @@ a { ECHO; }
+ b { REJECT; }
+ c { yymore (); }
+ d { yyless (1); }
+-e { yyless (input () != 0); }
++e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */
++ yyless ((input () != 0)); }
+ f { unput (yytext[0]); }
+ . { BEGIN INITIAL; }
+ %%
+@@ -5792,7 +5828,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_YACC="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -6044,7 +6080,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -8548,7 +8584,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -8590,7 +8626,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -8632,7 +8668,7 @@ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r
+ fi
+
+ case "$LIBS" in *-lssl*)
+- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include <openssl/ssl.h>
++ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h>
+ "
+-if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then :
++if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then :
+ ac_have_decl=1
+ else
+ ac_have_decl=0
+ fi
+
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl
++#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl
+ _ACEOF
+
+ ;;
+@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+- # In both cases, we have to default to `cp -p'.
++ # In both cases, we have to default to `cp -pR'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ fi
+ else
+- as_ln_s='cp -p'
++ as_ln_s='cp -pR'
+ fi
+ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+ rmdir conf$$.dir 2>/dev/null
+@@ -11403,28 +11439,16 @@ else
+ as_mkdir_p=false
+ fi
+
+-if test -x / >/dev/null 2>&1; then
+- as_test_x='test -x'
+-else
+- if ls -dL / >/dev/null 2>&1; then
+- as_ls_L_option=L
+- else
+- as_ls_L_option=
+- fi
+- as_test_x='
+- eval sh -c '\''
+- if test -d "$1"; then
+- test -d "$1/.";
+- else
+- case $1 in #(
+- -*)set "./$1";;
+- esac;
+- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #((
+- ???[sx]*):;;*)false;;esac;fi
+- '\'' sh
+- '
+-fi
+-as_executable_p=$as_test_x
++
++# as_fn_executable_p FILE
++# -----------------------
++# Test if FILE is an executable regular file.
++as_fn_executable_p ()
++{
++ test -f "$1" && test -x "$1"
++} # as_fn_executable_p
++as_test_x='test -x'
++as_executable_p=as_fn_executable_p
+
+ # Sed expression to map a string onto a valid CPP name.
+ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
+ # values after options handling.
+ ac_log="
+ This file was extended by fetchmail $as_me 6.3.26, which was
+-generated by GNU Autoconf 2.68. Invocation command line was
++generated by GNU Autoconf 2.69. Invocation command line was
+
+ CONFIG_FILES = $CONFIG_FILES
+ CONFIG_HEADERS = $CONFIG_HEADERS
+@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ
+ ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+ fetchmail config.status 6.3.26
+-configured by $0, generated by GNU Autoconf 2.68,
++configured by $0, generated by GNU Autoconf 2.69,
+ with options \\"\$ac_cs_config\\"
+
+-Copyright (C) 2010 Free Software Foundation, Inc.
++Copyright (C) 2012 Free Software Foundation, Inc.
+ This config.status script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it."
+
+@@ -11606,7 +11630,7 @@ fi
+ _ACEOF
+ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ if \$ac_cs_recheck; then
+- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
++ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+ shift
+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+ CONFIG_SHELL='$SHELL'
+--- fetchmail-6.3.26.orig/configure.ac
++++ fetchmail-6.3.26/configure.ac
+@@ -802,7 +802,7 @@ else
+ fi
+
+ case "$LIBS" in *-lssl*)
+- AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
++ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
+ ;;
+ esac
+
+--- fetchmail-6.3.26.orig/fetchmail-FAQ.html
++++ fetchmail-6.3.26/fetchmail-FAQ.html
+@@ -667,8 +667,8 @@ because there is not currently a standar
+ also uses this method, so the two will interoperate happily. They
+ better, because this is how Craig gets his mail ;-)</p>
+
+-<p>Finally, you can use <a href="#K5">SSL</a> for complete
+-end-to-end encryption if you have an SSL-enabled mailserver.</p>
++<p>Finally, you can use <a href="#K5">SSL or TLS</a> for complete
++end-to-end encryption if you have a TLS-enabled mailserver.</p>
+
+ <h2><a id="G11" name="G11">G11. Is any special configuration needed
+ to use a dynamic IP address?</a></h2>
+@@ -2120,7 +2120,7 @@ SSL?</a></h2>
+
+ <p>You'll need to have the <a
+ href="http://www.openssl.org/">OpenSSL</a> libraries installed, and they
+-should at least be version 0.9.7.
++should at least be version 0.9.8, with 1.0.1 preferred.
+ Configure with --with-ssl. If you have the OpenSSL libraries
+ installed in commonly-used default locations, this will
+ suffice. If you have them installed in a non-default location,
+@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.</p>
+ <p>Fetchmail binaries built this way support <code>ssl</code>,
+ <code>sslkey</code>, and <code>sslcert</code> options that control
+ SSL encryption, and will automatically use <code>tls</code> if the
+-server offers it. You will need to have an SSL-enabled mailserver to
++server offers it. You will need to have an SSL/TLS-enabled mailserver to
+ use these options. See the manual page for details and some words
+ of care on the limited security provided.</p>
+
+@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s
+ protocol imap username MYUSERNAME password MYPASSWORD
+ </pre>
+
+-<p>You should note that SSL is only secure against a "man-in-the-middle"
+-attack if the client is able to verify that the peer's public key is the
+-correct one, and has not been substituted by an attacker. fetchmail can do
+-this in one of two ways: by verifying the SSL certificate, or by checking
+-the fingerprint of the peer's public key.</p>
++<p>You should note that SSL or TLS are only secure against a
++"man-in-the-middle" attack if the client is able to verify that the
++peer's public key is the correct one, and has not been substituted by an
++attacker. fetchmail can do this in one of two ways: by verifying the SSL
++certificate, or by checking the fingerprint of the peer's public
++key.</p>
+
+-<p>There are three parts to SSL certificate verification: checking that the
++<p>There are three parts to TLS certificate verification: checking that the
+ domain name in the certificate matches the hostname you asked to connect to;
+ checking that the certificate expiry date has not passed; and checking that
+ the certificate has been signed by a known Certificate Authority (CA). This
+@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati
+ time. This can however cause problems if the upstream didn't configure
+ his certificates properly.</p>
+
+-<p>In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
+-negotiation, add this option:</p>
++<p>In order to prevent fetchmail 6.4.0 and newer versions from trying
++STLS or STARTTLS negotiation, add this option:</p>
++<pre>sslproto ''</pre>
++
++<p>In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS)
++negotiation where the above does not work, try this option:</p>
+
+ <pre>sslproto ssl23</pre>
+
+@@ -2876,15 +2881,22 @@ need to say something like '<code>envelo
+
+ <pre>
+ Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
+- by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
+- for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700
++ by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
++ for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700
+ </pre>
+
+-<p>it checks to see if 'iserv.ttns.net' is a DNS alias of your
+-mailserver before accepting 'ksturgeon@fbceg.org' as an envelope
++<p>it checks to see if 'iserv.example.net' is a DNS alias of your
++mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope
+ address. This check might fail if your DNS were misconfigured, or
+-if you were using 'no dns' and had failed to declare iserv.ttns.net
+-as an alias of your server.</p>
++if you were using 'no dns' and had failed to declare iserv.example.net
++as an alias of your server. The typical hint is logging similar to:
++<code>line rejected, iserv.example.net is not an alias of the mailserver</code>,
++if you use fetchmail in verbose mode.</p>
++
++<p><strong>Workaround:</strong> You can specify the alias explicitly, with <code>aka
++ <em>iserv.example.net</em></code> statements in the rcfile. Replace
++<em>iserv.example.net</em> by the name you find in <strong>your</strong>
++'by' part of the 'Received:' line.</p>
+
+ <h2><a id="M8" name="M8">M8. Users are getting multiple copies of
+ messages.</a></h2>
+@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".</p>
+ <h2><a id="X8" name="X8">X8. A spurious ) is being appended to my
+ messages.</a></h2>
+
++<p><em>Fetchmail 6.3.5 and newer releases are supposed to fix this.</em></p>
++
+ <p>Due to the problem described in <a href="#S2">S2</a>, the
+ IMAP support in fetchmail cannot follow the IMAP protocol 100 %.
+ Most of the time it doesn't matter, but if you combine it with an
+@@ -3279,8 +3293,6 @@ it at the end of the message it forwards
+ on, you'll get a message about actual != expected.</li>
+ </ol>
+
+-<p>There is no fix for this.</p>
+-
+ <h2><a id="X9" name="X9">X9. Missing "Content-Transfer-Encoding" header
+ with Domino IMAP</a></h2>
+
+--- fetchmail-6.3.26.orig/fetchmail.c
++++ fetchmail-6.3.26/fetchmail.c
+@@ -54,6 +54,10 @@
+ #define ENETUNREACH 128 /* Interactive doesn't know this */
+ #endif /* ENETUNREACH */
+
++#ifdef SSL_ENABLE
++#include <openssl/ssl.h> /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */
++#endif
++
+ /* prototypes for internal functions */
+ static int load_params(int, char **, int);
+ static void dump_params (struct runctl *runp, struct query *, flag implicit);
+@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) {
+ "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n"
+ " Robert M. Funk, Graham Wilson\n"
+ "Copyright (C) 2005 - 2012 Sunil Shetye\n"
+- "Copyright (C) 2005 - 2013 Matthias Andree\n"
++ "Copyright (C) 2005 - 2015 Matthias Andree\n"
+ ));
+ fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n"
+ "are welcome to redistribute it under certain conditions. For details,\n"
+@@ -262,6 +266,9 @@ int main(int argc, char **argv)
+ #endif /* ODMR_ENABLE */
+ #ifdef SSL_ENABLE
+ "+SSL"
++#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3)
++ "-SSLv3"
++#endif
+ #endif
+ #ifdef OPIE_ENABLE
+ "+OPIE"
+--- fetchmail-6.3.26.orig/fetchmail.h
++++ fetchmail-6.3.26/fetchmail.h
+@@ -771,9 +771,9 @@ int servport(const char *service);
+ int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
+ void fm_freeaddrinfo(struct addrinfo *ai);
+
+-/* prototypes from tls.c */
+-int maybe_tls(struct query *ctl);
+-int must_tls(struct query *ctl);
++/* prototypes from starttls.c */
++int maybe_starttls(struct query *ctl);
++int must_starttls(struct query *ctl);
+
+ /* prototype from rfc822valid.c */
+ int rfc822_valid_msgid(const unsigned char *);
+--- fetchmail-6.3.26.orig/fetchmail.man
++++ fetchmail-6.3.26/fetchmail.man
+@@ -412,23 +412,22 @@ from. The folder information is written
+ .B \-\-ssl
+ (Keyword: ssl)
+ .br
+-Causes the connection to the mail server to be encrypted
+-via SSL. Connect to the server using the specified base protocol over a
+-connection secured by SSL. This option defeats opportunistic starttls
+-negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
+-\-\-sslcertck to validate the certificates presented by the server and
+-defeat the obsolete SSLv2 negotiation. More information is available in
+-the \fIREADME.SSL\fP file that ships with fetchmail.
+-.IP
+-Note that fetchmail may still try to negotiate SSL through starttls even
+-if this option is omitted. You can use the \-\-sslproto option to defeat
+-this behavior or tell fetchmail to negotiate a particular SSL protocol.
++Causes the connection to the mail server to be encrypted via SSL, by
++negotiating SSL directly after connecting (SSL-wrapped mode). It is
++highly recommended to use \-\-sslcertck to validate the certificates
++presented by the server. Please see the description of \-\-sslproto
++below! More information is available in the \fIREADME.SSL\fP file that
++ships with fetchmail.
++.IP
++Note that even if this option is omitted, fetchmail may still negotiate
++SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You
++can use the \-\-sslproto option to modify that behavior.
+ .IP
+ If no port is specified, the connection is attempted to the well known
+ port of the SSL version of the base protocol. This is generally a
+ different port than the port used by the base protocol. For IMAP, this
+ is port 143 for the clear protocol and port 993 for the SSL secured
+-protocol, for POP3, it is port 110 for the clear text and port 995 for
++protocol; for POP3, it is port 110 for the clear text and port 995 for
+ the encrypted variant.
+ .IP
+ If your system lacks the corresponding entries from /etc/services, see
+@@ -470,39 +469,73 @@ cause some complications in daemon mode.
+ .IP
+ Also see \-\-sslcert above.
+ .TP
+-.B \-\-sslproto <name>
+-(Keyword: sslproto)
++.B \-\-sslproto <value>
++(Keyword: sslproto, NOTE: semantic changes since v6.4.0)
+ .br
+-Forces an SSL/TLS protocol. Possible values are \fB''\fP,
+-\&'\fBSSL2\fP' (not supported on all systems),
+-\&'\fBSSL23\fP', (use of these two values is discouraged
+-and should only be used as a last resort) \&'\fBSSL3\fP', and
+-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
+-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
+-opportunistically try STARTTLS negotiation with TLS1. You can configure
+-this option explicitly if the default handshake (TLS1 if \-\-ssl is not
+-used) does not work for your server.
+-.IP
+-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
+-connection. In this mode, it is highly recommended to also use
+-\-\-sslcertck (see below). Note that this will then cause fetchmail
+-v6.3.19 to force STARTTLS negotiation even if it is not advertised by
+-the server.
+-.IP
+-To defeat opportunistic TLSv1 negotiation when the server advertises
+-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This
+-option, even if the argument is the empty string, will also suppress the
+-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
+-mode. The default is to try appropriate protocols depending on context.
++This option has a dual use, out of historic fetchmail behaviour. It
++controls both the SSL/TLS protocol version and, if \-\-ssl is not
++specified, the STARTTLS behaviour (upgrading the protocol to an SSL or
++TLS connection in-band). Some other options may however make TLS
++mandatory.
++.PP
++Only if this option and \-\-ssl are both missing for a poll, there will
++be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to
++upgrade to TLSv1 or newer.
++.PP
++Recognized values for \-\-sslproto are given below. You should normally
++chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of
++the options ending in a plus (\fB+\fP) character. Note that depending
++on OpenSSL library version and configuration, some options cause
++run-time errors because the requested SSL or TLS versions are not
++supported by the particular installed OpenSSL library.
++.RS
++.IP "\fB''\fP, the empty string"
++Disable STARTTLS. If \-\-ssl is given for the same server, log an error
++and pretend that '\fBauto\fP' had been used instead.
++.IP '\fBauto\fP'
++(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade.
++(fetchmail 6.3.26 and older have auto-negotiated all protocols that
++their OpenSSL library supported, including the broken SSLv3).
++.IP "\&'\fBSSL23\fP'
++see '\fBauto\fP'.
++.IP \&'\fBSSL3\fP'
++Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it
++if possible. This will make fetchmail negotiate SSLv3 only, and is the
++only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
++.IP \&'\fBSSL3+\fP'
++same as '\fBauto\fP', but permit SSLv3 as well. This is the only way
++besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3.
++.IP \&'\fBTLS1\fP'
++Require TLSv1. This does not negotiate TLSv1.1 or newer, and is
++discouraged. Replace by TLS1+ unless the latter chokes your server.
++.IP \&'\fBTLS1+\fP'
++Since v6.4.0. See 'fBauto\fP'.
++.IP \&'\fBTLS1.1\fP'
++Since v6.4.0. Require TLS v1.1 exactly.
++.IP \&'\fBTLS1.1+\fP'
++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer.
++.IP \&'\fBTLS1.2\fP'
++Since v6.4.0. Require TLS v1.2 exactly.
++.IP '\fBTLS1.2+\fP'
++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer.
++.IP "Unrecognized parameters"
++are treated the same as '\fBauto\fP'.
++.RE
++.IP
++NOTE: you should hardly ever need to use anything other than '' (to
++force an unencrypted connection) or 'auto' (to enforce TLS).
+ .TP
+ .B \-\-sslcertck
+ (Keyword: sslcertck)
+ .br
+-Causes fetchmail to strictly check the server certificate against a set of
+-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
+-options). If the server certificate cannot be obtained or is not signed by one
+-of the trusted ones (directly or indirectly), the SSL connection will fail,
+-regardless of the \fBsslfingerprint\fP option.
++Causes fetchmail to require that SSL/TLS be used and disconnect if it
++can not successfully negotiate SSL or TLS, or if it cannot successfully
++verify and validate the certificate and follow it to a trust anchor (or
++trusted root certificate). The trust anchors are given as a set of local
++trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
++options). If the server certificate cannot be obtained or is not signed
++by one of the trusted ones (directly or indirectly), fetchmail will
++disconnect, regardless of the \fBsslfingerprint\fP option.
+ .IP
+ Note that CRL (certificate revocation lists) are only supported in
+ OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
+@@ -1202,31 +1235,33 @@ capability response. Specify a user opti
+ username and the part to the right as the NTLM domain.
+
+ .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS)
++.PP All retrieval protocols can use SSL or TLS wrapping for the
++transport. Additionally, POP3 and IMAP retrival can also negotiate
++SSL/TLS by means of STARTTLS (or STLS).
+ .PP
+ Note that fetchmail currently uses the OpenSSL library, which is
+ severely underdocumented, so failures may occur just because the
+ programmers are not aware of OpenSSL's requirement of the day.
+ For instance, since v6.3.16, fetchmail calls
+ OpenSSL_add_all_algorithms(), which is necessary to support certificates
+-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
+-documentation and not at all obvious. Please do not hesitate to report
+-subtle SSL failures.
+-.PP
+-You can access SSL encrypted services by specifying the \-\-ssl option.
+-You can also do this using the "ssl" user option in the .fetchmailrc
+-file. With SSL encryption enabled, queries are initiated over a
+-connection after negotiating an SSL session, and the connection fails if
+-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have
++using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in
++the documentation and not at all obvious. Please do not hesitate to
++report subtle SSL failures.
++.PP
++You can access SSL encrypted services by specifying the options starting
++with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others.
++You can also do this using the corresponding user options in the .fetchmailrc
++file. Some services, such as POP3 and IMAP, have
+ different well known ports defined for the SSL encrypted services. The
+ encrypted ports will be selected automatically when SSL is enabled and
+-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
+-used to select the SSLv3 protocol (default if unset: v2 or v3). Also,
+-the \-\-sslcertck command line or sslcertck run control file option
+-should be used to force strict certificate checking - see below.
++no explicit port is specified. Also, the \-\-sslcertck command line or
++sslcertck run control file option should be used to force strict
++certificate checking - see below.
+ .PP
+ If SSL is not configured, fetchmail will usually opportunistically try to use
+-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
+-connections use the same port as the unencrypted version of the
++STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and
++defeated by using \-\-sslproto\~''.
++TLS connections use the same port as the unencrypted version of the
+ protocol and negotiate TLS via special command. The \-\-sslcertck
+ command line or sslcertck run control file option should be used to
+ force strict certificate checking - see below.
+--- fetchmail-6.3.26.orig/imap.c
++++ fetchmail-6.3.26/imap.c
+@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
+ /* apply for connection authorization */
+ {
+ int ok = 0;
++ char *commonname;
++
+ (void)greeting;
+
+ /*
+@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct
+ return(PS_SUCCESS);
+ }
+
+-#ifdef SSL_ENABLE
+- if (maybe_tls(ctl)) {
+- char *commonname;
+-
+- commonname = ctl->server.pollname;
+- if (ctl->server.via)
+- commonname = ctl->server.via;
+- if (ctl->sslcommonname)
+- commonname = ctl->sslcommonname;
++ commonname = ctl->server.pollname;
++ if (ctl->server.via)
++ commonname = ctl->server.via;
++ if (ctl->sslcommonname)
++ commonname = ctl->sslcommonname;
+
+- if (strstr(capabilities, "STARTTLS")
+- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
++#ifdef SSL_ENABLE
++ if (maybe_starttls(ctl)) {
++ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl))
++ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
+ {
+- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
+- * protocol that will work with STARTTLS. Don't need to worry
+- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+- * (see below). */
++ /* Don't need to worry whether TLS is mandatory or
++ * opportunistic unless SSLOpen() fails (see below). */
+ if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
+- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ ctl->server.pollname, &ctl->remotename)) != -1)
+ {
+@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct
+ {
+ report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
+ }
+- } else if (must_tls(ctl)) {
++ } else if (must_starttls(ctl)) {
+ /* Config required TLS but we couldn't guarantee it, so we must
+ * stop. */
+ set_timeout(0);
+@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct
+ /* Usable. Proceed with authenticating insecurely. */
+ }
+ }
++ } else {
++ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) {
++ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname);
++ }
+ }
+ #endif /* SSL_ENABLE */
+
+--- fetchmail-6.3.26.orig/po/Makevars
++++ fetchmail-6.3.26/po/Makevars
+@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis
+ # This is the list of locale categories, beyond LC_MESSAGES, for which the
+ # message catalogs shall be used. It is usually empty.
+ EXTRA_LOCALE_CATEGORIES =
++
++# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt'
++# context. Possible values are "yes" and "no". Set this to yes if the
++# package uses functions taking also a message context, like pgettext(), or
++# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument.
++USE_MSGCTXT = no
++
++# These options get passed to msgmerge.
++# Useful options are in particular:
++# --previous to keep previous msgids of translated messages,
++# --quiet to reduce the verbosity.
++MSGMERGE_OPTIONS =
+--- fetchmail-6.3.26.orig/pop3.c
++++ fetchmail-6.3.26/pop3.c
+@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
+ #endif /* OPIE_ENABLE */
+ #ifdef SSL_ENABLE
+ flag connection_may_have_tls_errors = FALSE;
++ char *commonname;
+ #endif /* SSL_ENABLE */
+
+ done_capa = FALSE;
+@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct
+ (ctl->server.authenticate == A_KERBEROS_V5) ||
+ (ctl->server.authenticate == A_OTP) ||
+ (ctl->server.authenticate == A_CRAM_MD5) ||
+- maybe_tls(ctl))
++ maybe_starttls(ctl))
+ {
+ if ((ok = capa_probe(sock)) != PS_SUCCESS)
+ /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
+@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct
+ (ok == PS_SOCKET && !ctl->wehaveauthed))
+ {
+ #ifdef SSL_ENABLE
+- if (must_tls(ctl)) {
++ if (must_starttls(ctl)) {
+ /* fail with mandatory STLS without repoll */
+ report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
+ report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
+ return ok;
+- } else if (maybe_tls(ctl)) {
++ } else if (maybe_starttls(ctl)) {
+ /* defeat opportunistic STLS */
+ xfree(ctl->sslproto);
+ ctl->sslproto = xstrdup("");
+@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct
+ }
+
+ #ifdef SSL_ENABLE
+- if (maybe_tls(ctl)) {
+- char *commonname;
++ commonname = ctl->server.pollname;
++ if (ctl->server.via)
++ commonname = ctl->server.via;
++ if (ctl->sslcommonname)
++ commonname = ctl->sslcommonname;
+
+- commonname = ctl->server.pollname;
+- if (ctl->server.via)
+- commonname = ctl->server.via;
+- if (ctl->sslcommonname)
+- commonname = ctl->sslcommonname;
+-
+- if (has_stls
+- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
++ if (maybe_starttls(ctl)) {
++ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
+ {
+- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
+- * protocol that will work with STARTTLS. Don't need to worry
+- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
+- * (see below). */
++ /* Don't need to worry whether TLS is mandatory or
++ * opportunistic unless SSLOpen() fails (see below). */
+ if (gen_transact(sock, "STLS") == PS_SUCCESS
+- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
+ ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
+ ctl->server.pollname, &ctl->remotename)) != -1)
+ {
+@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct
+ {
+ report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
+ }
+- } else if (must_tls(ctl)) {
++ } else if (must_starttls(ctl)) {
+ /* Config required TLS but we couldn't guarantee it, so we must
+ * stop. */
+ set_timeout(0);
+@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct
+ }
+ }
+ }
+- } /* maybe_tls() */
++ } else { /* maybe_starttls() */
++ if (has_stls && outlevel >= O_VERBOSE) {
++ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
++ }
++ } /* maybe_starttls() */
+ #endif /* SSL_ENABLE */
+
+ /*
+--- fetchmail-6.3.26.orig/socket.c
++++ fetchmail-6.3.26/socket.c
+@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char
+ {
+ struct stat randstat;
+ int i;
++ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ long sslopts = SSL_OP_ALL;
++ int ssle_connect = 0;
+
+ SSL_load_error_strings();
+ SSL_library_init();
+@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char
+ /* Make sure a connection referring to an older context is not left */
+ _ssl_context[sock] = NULL;
+ if(myproto) {
+- if(!strcasecmp("ssl2",myproto)) {
+-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+- _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
++ if(!strcasecmp("ssl3",myproto)) {
++#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0)
++ _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
+ #else
+- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
++ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
+ return -1;
+ #endif
+- } else if(!strcasecmp("ssl3",myproto)) {
+- _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
++ } else if(!strcasecmp("ssl3+",myproto)) {
++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
++ myproto = NULL;
+ } else if(!strcasecmp("tls1",myproto)) {
+ _ctx[sock] = SSL_CTX_new(TLSv1_client_method());
+- } else if (!strcasecmp("ssl23",myproto)) {
++ } else if(!strcasecmp("tls1+",myproto)) {
++ myproto = NULL;
++#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION
++ } else if(!strcasecmp("tls1.1",myproto)) {
++ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method());
++ } else if(!strcasecmp("tls1.1+",myproto)) {
++ myproto = NULL;
++ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
++#else
++ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) {
++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n"));
++ return -1;
++#endif
++#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION
++ } else if(!strcasecmp("tls1.2",myproto)) {
++ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method());
++ } else if(!strcasecmp("tls1.2+",myproto)) {
++ myproto = NULL;
++ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
++ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1;
++#else
++ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) {
++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n"));
++ return -1;
++#endif
++ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) {
+ myproto = NULL;
+ } else {
+- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
++ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto);
+ myproto = NULL;
+ }
+ }
+- if(!myproto) {
++ // do not combine into an else { } as myproto may be nulled
++ // above!
++ if (!myproto) {
++ // SSLv23 is a misnomer and will in fact use the best
++ // available protocol, subject to SSL_OP_NO*
++ // constraints.
+ _ctx[sock] = SSL_CTX_new(SSLv23_client_method());
+ }
+ if(_ctx[sock] == NULL) {
+@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char
+ sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ }
+
+- SSL_CTX_set_options(_ctx[sock], sslopts);
++ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions);
+
+ if (certck) {
+ SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
+@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char
+ }
+
+ if (SSL_set_fd(_ssl_context[sock], sock) == 0
+- || SSL_connect(_ssl_context[sock]) < 1) {
++ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) {
++ int e = errno;
++ unsigned long ssle_err_from_queue = ERR_peek_error();
++ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect);
+ ERR_print_errors_fp(stderr);
++ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) {
++ if (0 == ssle_connect) {
++ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n"));
++ } else if (ssle_connect < 0) {
++ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e));
++ }
++ }
+ SSL_free( _ssl_context[sock] );
+ _ssl_context[sock] = NULL;
+ SSL_CTX_free(_ctx[sock]);
+@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char
+ return(-1);
+ }
+
++ if (outlevel >= O_VERBOSE) {
++ SSL_CIPHER const *sc;
++ int bitsmax, bitsused;
++
++ const char *ver;
++
++ ver = SSL_get_version(_ssl_context[sock]);
++
++ sc = SSL_get_current_cipher(_ssl_context[sock]);
++ if (!sc) {
++ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n"));
++ } else {
++ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax);
++ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"),
++ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax);
++ }
++ }
++
+ /* Paranoia: was the callback not called as we expected? */
+ if (!_depth0ck) {
+ report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
+--- /dev/null
++++ fetchmail-6.3.26/starttls.c
+@@ -0,0 +1,37 @@
++/** \file tls.c - collect common TLS functionality
++ * \author Matthias Andree
++ * \date 2006
++ */
++
++#include "fetchmail.h"
++
++#include <string.h>
++
++#ifdef HAVE_STRINGS_H
++#include <strings.h>
++#endif
++
++/** return true if user allowed opportunistic STARTTLS/STLS */
++int maybe_starttls(struct query *ctl) {
++#ifdef SSL_ENABLE
++ /* opportunistic or forced TLS */
++ return (!ctl->sslproto || strlen(ctl->sslproto))
++ && !ctl->use_ssl;
++#else
++ (void)ctl;
++ return 0;
++#endif
++}
++
++/** return true if user requires STARTTLS/STLS, note though that this
++ * code must always use a logical AND with maybe_tls(). */
++int must_starttls(struct query *ctl) {
++#ifdef SSL_ENABLE
++ return maybe_starttls(ctl)
++ && (ctl->sslfingerprint || ctl->sslcertck
++ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
++#else
++ (void)ctl;
++ return 0;
++#endif
++}
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbb509e0303f5ded1cbfc0cc8705f28c"
DEPENDS = "openssl"
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \
+ file://02_remove_SSLv3.patch \
+ "
SRC_URI[md5sum] = "61b66faad044afa26e142bb1791aa2b3"
SRC_URI[sha256sum] = "79b4c54cdbaf02c1a9a691d9948fcb1a77a1591a813e904283a8b614b757e850"
Backport a patch from Debian Signed-off-by: Khem Raj <raj.khem@gmail.com> --- .../fetchmail/fetchmail/02_remove_SSLv3.patch | 1576 +++++++++++++++++ .../fetchmail/fetchmail_6.3.26.bb | 4 +- 2 files changed, 1579 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/fetchmail/fetchmail/02_remove_SSLv3.patch -- 2.18.0 -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel