RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1234853 - fetchmail man page has confusing text for --sslproto
Summary: fetchmail man page has confusing text for --sslproto
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: fetchmail
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vitezslav Crhonek
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
: 1269888 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-23 11:47 UTC by Stephen Wadeley
Modified: 2017-12-06 11:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1273016 (view as bug list)
Environment:
Last Closed: 2017-12-06 11:04:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed fix (27.82 KB, patch)
2015-10-19 12:01 UTC, Vitezslav Crhonek 		no flags Details | Diff
View All

Description Stephen Wadeley 2015-06-23 11:47:07 UTC 
Description of problem:

This text appears to have been incorrectly edited and is now confusing:

--sslproto <name>
              (Keyword: sslproto)
              Forces  an  SSL/TLS  protocol.  Possible  values are ’’, ’SSL2’,
              ’SSL23’, (use of these two values is discouraged and should only
              be  used  as  a  last  resort)  ’SSL3’, and ’TLS1’.  The default
              behaviour if this option is unset is:  for  connections  without
              --ssl,  use  ’TLS1’  that  fetchmail  will opportunistically try
              STARTTLS negotiation with TLS1. You can  configure  this  option
              explicitly  if the default handshake (TLS1 if --ssl is not used,
              does not work for your server.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. man fetchmail
2. /sslproto

Actual results:
as above

Expected results:
as per Fedora 22:

  --sslproto <name>
 (Keyword: sslproto)
  Forces an SSL/TLS protocol. Possible values are '', 'SSL2' (not supported on all systems), 'SSL23', (use of these two  values  is  discouraged and should only be used as a last resort) 'SSL3', and 'TLS1'. The default behaviour if this option is unset is: for connections without --ssl, use 'TLS1' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure this option explicitly if the default handshake (TLS1 if --ssl is not used) does not work for your server.


Additional info:

The words "use 'TLS1' so that" string is not very clear as some might think they have to use it, rather than "will be used" which seems to be what the author meant. If that part was omitted, would that be clearer? i.e.: The default behaviour if this option is unset is: for connections without --ssl, fetchmail will opportunistically try STARTTLS negotiation with TLS1.

Or:
for connections without --ssl, use 'TLS1'. This causes fetchmail to opportunistically try STARTTLS negotiation with TLS1.


Thank you
Comment 1 Tomas Mraz 2015-07-07 08:04:55 UTC 
Unfortunately using 'sslproto tls1' disables support for TLSv1.1 and TLSv1.2. That is a problem.
Comment 2 Vitezslav Crhonek 2015-10-19 12:01:59 UTC 
Created attachment 1084371 [details]
proposed fix

Fixing the man page isn't enough, see comment #1. There's no way to disable SSLv3 and not to disable TLSv1.1+ together.

I backported recent upstream changes related to SSL and updated various parts of documentation (man page, README.SSL and NEWS).

--sslproto with this patch will support:
'', auto, ssl23, ssl2, ssl3, ssl3+, tls1, tls1+, tls1.1, tls1.1+, tls1.2 and tls1.2+.

All except ssl23 are intuitive to use. (Empty value is used to disable SSL at all.) auto/ssl23 are default values, fetchmail will use TLSv1 protocol or better in that case (this means it's pretty well backwards compatible for most configurations, the only difference should be that SSLv3 is disabled by default and if it's really needed, ssl3 or ssl3+ should be passed to fetchmail in --sslproto).
Comment 3 Vitezslav Crhonek 2015-10-19 12:05:52 UTC 
*** Bug 1269888 has been marked as a duplicate of this bug. ***
Comment 6 Jan Kurik 2017-12-06 11:04:27 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Note You need to log in before you can comment on or make changes to this bug.