Bug 1234853

Summary: fetchmail man page has confusing text for --sslproto
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Wadeley <swadeley>
Component: fetchmailAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: mprpic, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1273016 (view as bug list) Environment:
Last Closed: 2017-12-06 11:04:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed fix none

Description Stephen Wadeley 2015-06-23 11:47:07 UTC 
Description of problem:

This text appears to have been incorrectly edited and is now confusing:

--sslproto <name>
              (Keyword: sslproto)
              Forces  an  SSL/TLS  protocol.  Possible  values are ’’, ’SSL2’,
              ’SSL23’, (use of these two values is discouraged and should only
              be  used  as  a  last  resort)  ’SSL3’, and ’TLS1’.  The default
              behaviour if this option is unset is:  for  connections  without
              --ssl,  use  ’TLS1’  that  fetchmail  will opportunistically try
              STARTTLS negotiation with TLS1. You can  configure  this  option
              explicitly  if the default handshake (TLS1 if --ssl is not used,
              does not work for your server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. man fetchmail
2. /sslproto

Actual results:
as above

Expected results:
as per Fedora 22:

  --sslproto <name>
 (Keyword: sslproto)
  Forces an SSL/TLS protocol. Possible values are '', 'SSL2' (not supported on all systems), 'SSL23', (use of these two  values  is  discouraged and should only be used as a last resort) 'SSL3', and 'TLS1'. The default behaviour if this option is unset is: for connections without --ssl, use 'TLS1' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure this option explicitly if the default handshake (TLS1 if --ssl is not used) does not work for your server.


Additional info:

The words "use 'TLS1' so that" string is not very clear as some might think they have to use it, rather than "will be used" which seems to be what the author meant. If that part was omitted, would that be clearer? i.e.: The default behaviour if this option is unset is: for connections without --ssl, fetchmail will opportunistically try STARTTLS negotiation with TLS1.

Or:
for connections without --ssl, use 'TLS1'. This causes fetchmail to opportunistically try STARTTLS negotiation with TLS1.


Thank you
Comment 1 Tomas Mraz 2015-07-07 08:04:55 UTC 
Unfortunately using 'sslproto tls1' disables support for TLSv1.1 and TLSv1.2. That is a problem.
Comment 2 Vitezslav Crhonek 2015-10-19 12:01:59 UTC 
Created attachment 1084371 [details]
proposed fix

Fixing the man page isn't enough, see comment #1. There's no way to disable SSLv3 and not to disable TLSv1.1+ together.

I backported recent upstream changes related to SSL and updated various parts of documentation (man page, README.SSL and NEWS).

--sslproto with this patch will support:
'', auto, ssl23, ssl2, ssl3, ssl3+, tls1, tls1+, tls1.1, tls1.1+, tls1.2 and tls1.2+.

All except ssl23 are intuitive to use. (Empty value is used to disable SSL at all.) auto/ssl23 are default values, fetchmail will use TLSv1 protocol or better in that case (this means it's pretty well backwards compatible for most configurations, the only difference should be that SSLv3 is disabled by default and if it's really needed, ssl3 or ssl3+ should be passed to fetchmail in --sslproto).
Comment 3 Vitezslav Crhonek 2015-10-19 12:05:52 UTC 
*** Bug 1269888 has been marked as a duplicate of this bug. ***
Comment 6 Jan Kurik 2017-12-06 11:04:27 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/