Commit 650519f8 authored by Matthias Andree's avatar Matthias Andree

STARTTLS enforcement for sslproto != "tls1".

Fetchmail < 6.4.2 used to only consider --sslproto=TLS1 as "mandatory
STARTTLS" unless sslcertck or sslfingerprint were given, now all
protocol versions will require STARTTLS.

This did not matter in the default install because sslcertck defaults
to on, but could permit fetchmail to continue with unencrypted
connections if --nosslcertck was in use.
parent c2d2c447
......@@ -29,7 +29,7 @@ int must_starttls(struct query *ctl) {
#ifdef SSL_ENABLE
return maybe_starttls(ctl)
&& (ctl->sslfingerprint || ctl->sslcertck
|| (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
|| (ctl->sslproto && ctl->sslproto[0]));
#else
(void)ctl;
return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment