summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2020-05-14 14:13:40 -0600
committerEduardo Chappa <chappa@washington.edu>2020-05-14 14:13:40 -0600
commit1e6b822f3fa5bc17ceb94850c15bef643dda393d (patch)
tree67729a4fbd11d9734ae9ad911509782e0d4de6fd
parent00c4ef9e0d4bc4d1ea210e7a0d31494b4116bb4a (diff)
downloadalpine-1e6b822f3fa5bc17ceb94850c15bef643dda393d.tar.xz
* Create /starttls as a synonym of /tls. Update the documentation to use
/starttls instead of /tls. This should cause less confusion in Alpine users in the future.
-rw-r--r--imap/docs/naming.txt8
-rw-r--r--imap/src/c-client/imap4r1.c8
-rw-r--r--imap/src/c-client/mail.c6
-rw-r--r--imap/src/c-client/nntp.c10
-rw-r--r--imap/src/c-client/pop3.c6
-rw-r--r--pith/pine.hlp45
6 files changed, 44 insertions, 39 deletions
diff --git a/imap/docs/naming.txt b/imap/docs/naming.txt
index b0b484ae..6c06a9c1 100644
--- a/imap/docs/naming.txt
+++ b/imap/docs/naming.txt
@@ -110,13 +110,17 @@ where:
default behavior)
"/novalidate-cert" do not validate certificates from TLS/SSL server,
needed if server uses self-signed certificates
- "/tls" force use of start-TLS to encrypt the session, and
+ "/starttls" force use of start-TLS to encrypt the session, and
reject connection to servers that do not support it
+ "/tls1" force use of TLSv1, fail if not possible.
+ "/tls1_1" force use of TLSv1.1, fail if not possible.
+ "/tls1_2" force use of TLSv1.2, fail if not possible.
+ "/tls1_3" force use of TLSv1.3, fail if not possible.
"/tls-sslv23" use the depreciated SSLv23 client when negotiating
TLS to the server. This is necessary with some
broken servers which (incorrectly) think that TLS
is just another way of doing SSL.
- "/notls" do not do start-TLS to encrypt the session, even
+ "/nostarttls" do not do start-TLS to encrypt the session, even
with servers that support it
"/readonly" request read-only mailbox open (IMAP only; ignored
on NNTP, and an error with SMTP and POP3)
diff --git a/imap/src/c-client/imap4r1.c b/imap/src/c-client/imap4r1.c
index 43e5398b..a41973b5 100644
--- a/imap/src/c-client/imap4r1.c
+++ b/imap/src/c-client/imap4r1.c
@@ -852,7 +852,7 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
/* IMAP connection open logic is more complex than net_open() normally
* deals with, because of the simap and rimap hacks.
* If the session is anonymous, a specific port is given, or if /ssl or
- * /tls is set, do net_open() since those conditions override everything
+ * /starttls is set, do net_open() since those conditions override everything
* else.
*/
if (stream->anonymous || mb.port || mb.sslflag || mb.tlsflag)
@@ -911,7 +911,7 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
/* get capabilities now that TLS in effect */
if (LOCAL->netstream) imap_capability (stream);
}
- else if (mb.tlsflag) { /* user specified /tls but can't do it */
+ else if (mb.tlsflag) { /* user specified /starttls but can't do it */
mm_log ("Unable to negotiate TLS with this server",ERROR);
return NIL;
}
@@ -975,13 +975,13 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
if (!((i = net_port (LOCAL->netstream)) & 0xffff0000))
sprintf (tmp + strlen (tmp),":%lu",i);
strcat (tmp,"/imap");
- if (LOCAL->tlsflag) strcat (tmp,"/tls");
+ if (LOCAL->tlsflag) strcat (tmp,"/starttls");
if (LOCAL->tls1) strcat (tmp,"/tls1");
if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
if (LOCAL->tls1_2) strcat (tmp,"/tls1_2");
if (LOCAL->tls1_3) strcat (tmp,"/tls1_3");
if (LOCAL->tlssslv23) strcat (tmp,"/tls-sslv23");
- if (LOCAL->notlsflag) strcat (tmp,"/notls");
+ if (LOCAL->notlsflag) strcat (tmp,"/nostarttls");
if (LOCAL->sslflag) strcat (tmp,"/ssl");
if (LOCAL->novalidate) strcat (tmp,"/novalidate-cert");
if (LOCAL->loser) strcat (tmp,"/loser");
diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c
index e591a521..90020d5d 100644
--- a/imap/src/c-client/mail.c
+++ b/imap/src/c-client/mail.c
@@ -847,11 +847,11 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
else if (!compare_cstring (s,"secure")) mb->secflag = T;
else if (!compare_cstring (s,"norsh")) mb->norsh = T;
else if (!compare_cstring (s,"loser")) mb->loser = T;
- else if (!compare_cstring (s,"tls") && !mb->notlsflag)
+ else if ((!compare_cstring (s,"starttls") || !compare_cstring (s,"tls")) && !mb->notlsflag)
mb->tlsflag = T;
else if (!compare_cstring (s,"tls-sslv23") && !mb->notlsflag)
mb->tlssslv23 = mb->tlsflag = T;
- else if (!compare_cstring (s,"notls") && !mb->tlsflag)
+ else if ((!compare_cstring (s,"notls") || !compare_cstring(s,"nostarttls")) && !mb->tlsflag)
mb->notlsflag = T;
else if (!compare_cstring (s,"tryssl"))
mb->trysslflag = mailssldriver? T : NIL;
@@ -1274,7 +1274,7 @@ MAILSTREAM *mail_open (MAILSTREAM *stream,char *name,long options)
if (mb.user[0]) sprintf (tmp + strlen (tmp),"/user=%.64s",mb.user);
if (mb.dbgflag) strcat (tmp,"/debug");
if (mb.secflag) strcat (tmp,"/secure");
- if (mb.tlsflag) strcat (tmp,"/tls");
+ if (mb.tlsflag) strcat (tmp,"/starttls");
if (mb.notlsflag) strcat (tmp,"/notls");
if (mb.sslflag) strcat (tmp,"/ssl");
if (mb.tls1) strcat (tmp,"/tls1");
diff --git a/imap/src/c-client/nntp.c b/imap/src/c-client/nntp.c
index bce7c636..a46a5bd6 100644
--- a/imap/src/c-client/nntp.c
+++ b/imap/src/c-client/nntp.c
@@ -688,9 +688,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
hostlist[0] = strcpy (tmp,mb.host);
if (mb.port || nntp_port)
sprintf (tmp + strlen (tmp),":%lu",mb.port ? mb.port : nntp_port);
- if (mb.tlsflag) strcat (tmp,"/tls");
+ if (mb.tlsflag) strcat (tmp,"/starttls");
if (mb.tlssslv23) strcat (tmp,"/tls-sslv23");
- if (mb.notlsflag) strcat (tmp,"/notls");
+ if (mb.notlsflag) strcat (tmp,"/nostarttls");
if (mb.sslflag) strcat (tmp,"/ssl");
if (mb.tls1) strcat (tmp,"/tls1");
if (mb.tls1_1) strcat (tmp,"/tls1_1");
@@ -761,9 +761,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
sprintf (tmp,"{%s:%lu/nntp",(long) mail_parameters (NIL,GET_TRUSTDNS,NIL) ?
net_host (nstream->netstream) : mb.host,
net_port (nstream->netstream));
- if (LOCAL->tlsflag) strcat (tmp,"/tls");
+ if (LOCAL->tlsflag) strcat (tmp,"/starttls");
if (LOCAL->tlssslv23) strcat (tmp,"/tls-sslv23");
- if (LOCAL->notlsflag) strcat (tmp,"/notls");
+ if (LOCAL->notlsflag) strcat (tmp,"/nostarttls");
if (LOCAL->sslflag) strcat (tmp,"/ssl");
if (LOCAL->tls1) strcat (tmp,"/tls1");
if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
@@ -1752,7 +1752,7 @@ SENDSTREAM *nntp_open_full (NETDRIVER *dv,char **hostlist,char *service,
stream = nntp_close (stream);
}
}
- else if (mb.tlsflag) { /* user specified /tls but can't do it */
+ else if (mb.tlsflag) { /* user specified /starttls but can't do it */
mm_log ("Unable to negotiate TLS with this server",ERROR);
return NIL;
}
diff --git a/imap/src/c-client/pop3.c b/imap/src/c-client/pop3.c
index 6f69a400..b5b51486 100644
--- a/imap/src/c-client/pop3.c
+++ b/imap/src/c-client/pop3.c
@@ -420,13 +420,13 @@ MAILSTREAM *pop3_open (MAILSTREAM *stream)
(long) mail_parameters (NIL,GET_TRUSTDNS,NIL) ?
net_host (LOCAL->netstream) : mb.host,
net_port (LOCAL->netstream));
- if (mb.tlsflag) strcat (tmp,"/tls");
+ if (mb.tlsflag) strcat (tmp,"/starttls");
if (mb.tlssslv23) strcat (tmp,"/tls-sslv23");
if (mb.tls1) strcat (tmp,"/tls1");
if (mb.tls1_1) strcat (tmp,"/tls1_1");
if (mb.tls1_2) strcat (tmp,"/tls1_2");
if (mb.tls1_3) strcat (tmp,"/tls1_3");
- if (mb.notlsflag) strcat (tmp,"/notls");
+ if (mb.notlsflag) strcat (tmp,"/nostarttls");
if (mb.sslflag) strcat (tmp,"/ssl");
if (mb.novalidate) strcat (tmp,"/novalidate-cert");
if ((LOCAL->loser = mb.loser) != 0) strcat (tmp,"/loser");
@@ -578,7 +578,7 @@ long pop3_auth (MAILSTREAM *stream,NETMBX *mb,char *pwd,char *usr)
}
pop3_capa (stream,flags); /* get capabilities now that TLS in effect */
}
- else if (mb->tlsflag) { /* user specified /tls but can't do it */
+ else if (mb->tlsflag) { /* user specified /starttls but can't do it */
mm_log ("Unable to negotiate TLS with this server",ERROR);
return NIL;
}
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 74c97c31..e8145ae6 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
reasonable place to be called from.
Dummy change to get revision in pine.hlp
============= h_revision =================
-Alpine Commit 427 2020-05-13 02:16:31
+Alpine Commit 428 2020-05-14 14:13:20
============= h_news =================
<HTML>
<HEAD>
@@ -21005,7 +21005,7 @@ An example might be:
</DD>
-<DT>TLS</DT>
+<DT>STARTTLS</DT>
<DD>
This is a unary parameter indicating communication with the server must
take place over a TLS connection. If you use this parameter, Alpine will
@@ -21024,7 +21024,7 @@ establish a secure connection using STARTTLS.
considerations when you use this option.
<P>
-<CENTER><SAMP>/tls</SAMP></CENTER>
+<CENTER><SAMP>/starttls</SAMP></CENTER>
<P>
</DD>
@@ -21277,7 +21277,8 @@ SSL protocols.
modifier /tls with respect to the names of the encryption protocols, such
as TLS 1.2. The meaning of /tls is to start an encrypted connection to a
server after an insecure connection has been established, and we will
-discuss this later in this help text.
+discuss this later in this help text. The preferred way flag is to use
+/starttls, instead of /tls.
<P>The best way to start an encrypted connection to a server is to use the
/ssl modifier. If your provider allows encrypted connections on port 993
@@ -21294,13 +21295,13 @@ above.
the port number in case it is different to the ones above.
<P>If your service provider says to use STARTTLS, then you need to use the
-/tls modifier. If your service provider gives you the option to use SSL or
+/starttls modifier. If your service provider gives you the option to use SSL or
TLS and to use STARTTLS choose the secure port and choose the /ssl
-modifier. This is because connections using the /tls modifier can be
+modifier. This is because connections using the /starttls modifier can be
attacked and your username and password can be stolen by a hacker. The next
paragraph describes in short how to do this.
-<P> When you use the /tls modifier, Alpine connects insecurely to the
+<P> When you use the /starttls modifier, Alpine connects insecurely to the
remote server. Because the connection is insecure, it is possible that you
connect to a different server, which connects you to the real server. This
is called &quot;man-in-the-middle&quot; attack, and so your communication
@@ -22546,11 +22547,11 @@ Normally, when a connection is made to the Smtp-Server Alpine will attempt
to negotiate a secure (encrypted) session using Transport Layer Security (TLS).
If that fails then a non-encrypted connection will be attempted instead.
You may specify that a TLS connection is required if you wish.
-If you append &quot;/tls&quot; to the name then the connection will fail
+If you append &quot;/starttls&quot; to the name then the connection will fail
instead of falling back to a non-secure connection.
<P>
-<CENTER><SAMP>smtpserver.example.com/tls</SAMP></CENTER>
+<CENTER><SAMP>smtpserver.example.com/starttls</SAMP></CENTER>
<P>
@@ -32630,10 +32631,10 @@ terminal being used.
<H1>FEATURE: <!--#echo var="FEAT_try-alternative-authentication-driver-first"--></H1>
This feature affects how Alpine connects to IMAP servers.
-It's utility has largely been overtaken by events,
+Its utility has largely been overtaken by events,
but it may still be useful in some circumstances.
If you only connect to modern IMAP servers that support
-&quot;TLS&quot; you can ignore this feature.
+&quot;STARTTLS&quot; you can ignore this feature.
<P>
Details:
@@ -32641,22 +32642,22 @@ Details:
<P>
By default, Alpine will attempt to connect to an IMAP server on the
normal IMAP service port (143), and if the server offers &quot;Transport Layer
-Security&quot; (TLS) and Alpine has been compiled with encryption capability,
+Security&quot; (STARTTLS) and Alpine has been compiled with encryption capability,
then a secure (encrypted) session will be negotiated.
<P>
With this feature enabled, before connecting on the normal IMAP port, Alpine
will first attempt to connect to an alternate IMAP service port (993) used
specifically for encrypted IMAP sessions via the Secure Sockets Layer
-(SSL) method.
+(SSL) or Transport Layer Security (TLS) method.
If the SSL attempt fails, Alpine will then try the default
behavior described in the previous paragraph.
<P>
-TLS negotiation on the normal port is preferred, and supersedes the use of
-SSL on port 993, but older servers may not provide TLS support.
+STARTTLS negotiation on the normal port is preferred, and supersedes the use of
+SSL on port 993, but older servers may not provide STARTTLS support.
This feature may be convenient when accessing IMAP servers that do not support
-TLS, but do support SSL connections on port 993.
+STARTTLS, but do support SSL or TLS connections on port 993.
However, it is important to understand that with this feature enabled,
Alpine will <EM>attempt</EM> to make a secure connection if that is possible,
but it will proceed to make an insecure connection if that is the only
@@ -32671,14 +32672,14 @@ This feature interacts with some of
the possible host/folder path specification flags as follows:
<P>
-The <SAMP>/tls</SAMP> host flag, for example,
+The <SAMP>/starttls</SAMP> host flag, for example,
<P>
-<CENTER><SAMP>{foo.example.com/tls}INBOX</SAMP></CENTER>
+<CENTER><SAMP>{foo.example.com/starttls}INBOX</SAMP></CENTER>
<P>
will over-ride this feature for the specified host by bypassing the
-SSL connection attempt.
-Moreover, with <SAMP>/tls</SAMP> specified,
+SSL or TLS connection attempt.
+Moreover, with <SAMP>/starttls</SAMP> specified,
the connection attempt will fail if the
service on port 143 does not offer TLS support.
@@ -32688,8 +32689,8 @@ The <SAMP>/ssl</SAMP> host flag, for example,
<P>
<CENTER><SAMP>{foo.example.com/ssl}INBOX</SAMP></CENTER>
<P>
-will insist on an SSL connection for the specified host,
-and will fail if the SSL service on port 993 is not available.
+will insist on an SSL or TLS connection for the specified host,
+and will fail if the SSL or TLS service on port 993 is not available.
Alpine will not subsequently retry a connection
on port 143 if <SAMP>/ssl</SAMP> is specified.