* Create /starttls as a synonym of /tls. Update the documentation to use

    /starttls instead of /tls. This should cause less confusion in Alpine users
    in the future.

6 files changed, 44 insertions, 39 deletions

diff --git a/imap/docs/naming.txt b/imap/docs/naming.txt
index b0b484a..6c06a9c 100644
--- a/imap/docs/naming.txt
+++ b/imap/docs/naming.txt
@@ -110,13 +110,17 @@ where:
 			 default behavior)
   "/novalidate-cert"	do not validate certificates from TLS/SSL server,
 			 needed if server uses self-signed certificates
-  "/tls"		force use of start-TLS to encrypt the session, and
+  "/starttls"		force use of start-TLS to encrypt the session, and
 			 reject connection to servers that do not support it
+  "/tls1"		force use of TLSv1, fail if not possible.
+  "/tls1_1"		force use of TLSv1.1, fail if not possible.
+  "/tls1_2"		force use of TLSv1.2, fail if not possible.
+  "/tls1_3"		force use of TLSv1.3, fail if not possible.
   "/tls-sslv23"		use the depreciated SSLv23 client when negotiating
 			 TLS to the server.  This is necessary with some
 			 broken servers which (incorrectly) think that TLS
 			 is just another way of doing SSL.
-  "/notls"		do not do start-TLS to encrypt the session, even
+  "/nostarttls"		do not do start-TLS to encrypt the session, even
 			 with servers that support it
   "/readonly"		request read-only mailbox open (IMAP only; ignored
 			 on NNTP, and an error with SMTP and POP3)
diff --git a/imap/src/c-client/imap4r1.c b/imap/src/c-client/imap4r1.c
index 43e5398..a41973b 100644
--- a/imap/src/c-client/imap4r1.c
+++ b/imap/src/c-client/imap4r1.c
@@ -852,7 +852,7 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
     /* IMAP connection open logic is more complex than net_open() normally
      * deals with, because of the simap and rimap hacks.
      * If the session is anonymous, a specific port is given, or if /ssl or
-     * /tls is set, do net_open() since those conditions override everything
+     * /starttls is set, do net_open() since those conditions override everything
      * else.
      */
     if (stream->anonymous || mb.port || mb.sslflag || mb.tlsflag)
@@ -911,7 +911,7 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
 				/* get capabilities now that TLS in effect */
 	if (LOCAL->netstream) imap_capability (stream);
       }
-      else if (mb.tlsflag) {	/* user specified /tls but can't do it */
+      else if (mb.tlsflag) {	/* user specified /starttls but can't do it */
 	mm_log ("Unable to negotiate TLS with this server",ERROR);
 	return NIL;
       }
@@ -975,13 +975,13 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
     if (!((i = net_port (LOCAL->netstream)) & 0xffff0000))
       sprintf (tmp + strlen (tmp),":%lu",i);
     strcat (tmp,"/imap");
-    if (LOCAL->tlsflag) strcat (tmp,"/tls");
+    if (LOCAL->tlsflag) strcat (tmp,"/starttls");
     if (LOCAL->tls1) strcat (tmp,"/tls1");
     if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
     if (LOCAL->tls1_2) strcat (tmp,"/tls1_2");
     if (LOCAL->tls1_3) strcat (tmp,"/tls1_3");
     if (LOCAL->tlssslv23) strcat (tmp,"/tls-sslv23");
-    if (LOCAL->notlsflag) strcat (tmp,"/notls");
+    if (LOCAL->notlsflag) strcat (tmp,"/nostarttls");
     if (LOCAL->sslflag) strcat (tmp,"/ssl");
     if (LOCAL->novalidate) strcat (tmp,"/novalidate-cert");
     if (LOCAL->loser) strcat (tmp,"/loser");
diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c
index e591a52..90020d5 100644
--- a/imap/src/c-client/mail.c
+++ b/imap/src/c-client/mail.c
@@ -847,11 +847,11 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
 	else if (!compare_cstring (s,"secure")) mb->secflag = T;
 	else if (!compare_cstring (s,"norsh")) mb->norsh = T;
 	else if (!compare_cstring (s,"loser")) mb->loser = T;
-	else if (!compare_cstring (s,"tls") && !mb->notlsflag)
+	else if ((!compare_cstring (s,"starttls") || !compare_cstring (s,"tls")) && !mb->notlsflag)
 	  mb->tlsflag = T;
 	else if (!compare_cstring (s,"tls-sslv23") && !mb->notlsflag)
 	  mb->tlssslv23 = mb->tlsflag = T;
-	else if (!compare_cstring (s,"notls") && !mb->tlsflag)
+	else if ((!compare_cstring (s,"notls") || !compare_cstring(s,"nostarttls")) && !mb->tlsflag)
 	  mb->notlsflag = T;
 	else if (!compare_cstring (s,"tryssl"))
 	  mb->trysslflag = mailssldriver? T : NIL;
@@ -1274,7 +1274,7 @@ MAILSTREAM *mail_open (MAILSTREAM *stream,char *name,long options)
 	if (mb.user[0]) sprintf (tmp + strlen (tmp),"/user=%.64s",mb.user);
 	if (mb.dbgflag) strcat (tmp,"/debug");
 	if (mb.secflag) strcat (tmp,"/secure");
-	if (mb.tlsflag) strcat (tmp,"/tls");
+	if (mb.tlsflag) strcat (tmp,"/starttls");
 	if (mb.notlsflag) strcat (tmp,"/notls");
 	if (mb.sslflag) strcat (tmp,"/ssl");
 	if (mb.tls1) strcat (tmp,"/tls1");
diff --git a/imap/src/c-client/nntp.c b/imap/src/c-client/nntp.c
index bce7c63..a46a5bd 100644
--- a/imap/src/c-client/nntp.c
+++ b/imap/src/c-client/nntp.c
@@ -688,9 +688,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
     hostlist[0] = strcpy (tmp,mb.host);
     if (mb.port || nntp_port)
       sprintf (tmp + strlen (tmp),":%lu",mb.port ? mb.port : nntp_port);
-    if (mb.tlsflag) strcat (tmp,"/tls");
+    if (mb.tlsflag) strcat (tmp,"/starttls");
     if (mb.tlssslv23) strcat (tmp,"/tls-sslv23");
-    if (mb.notlsflag) strcat (tmp,"/notls");
+    if (mb.notlsflag) strcat (tmp,"/nostarttls");
     if (mb.sslflag) strcat (tmp,"/ssl");
     if (mb.tls1) strcat (tmp,"/tls1");
     if (mb.tls1_1) strcat (tmp,"/tls1_1");
@@ -761,9 +761,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
   sprintf (tmp,"{%s:%lu/nntp",(long) mail_parameters (NIL,GET_TRUSTDNS,NIL) ?
 	   net_host (nstream->netstream) : mb.host,
 	   net_port (nstream->netstream));
-  if (LOCAL->tlsflag) strcat (tmp,"/tls");
+  if (LOCAL->tlsflag) strcat (tmp,"/starttls");
   if (LOCAL->tlssslv23) strcat (tmp,"/tls-sslv23");
-  if (LOCAL->notlsflag) strcat (tmp,"/notls");
+  if (LOCAL->notlsflag) strcat (tmp,"/nostarttls");
   if (LOCAL->sslflag) strcat (tmp,"/ssl");
   if (LOCAL->tls1) strcat (tmp,"/tls1");
   if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
@@ -1752,7 +1752,7 @@ SENDSTREAM *nntp_open_full (NETDRIVER *dv,char **hostlist,char *service,
       stream = nntp_close (stream);
     }
   }
-  else if (mb.tlsflag) {	/* user specified /tls but can't do it */
+  else if (mb.tlsflag) {	/* user specified /starttls but can't do it */
     mm_log ("Unable to negotiate TLS with this server",ERROR);
     return NIL;
   }
diff --git a/imap/src/c-client/pop3.c b/imap/src/c-client/pop3.c
index 6f69a40..b5b5148 100644
--- a/imap/src/c-client/pop3.c
+++ b/imap/src/c-client/pop3.c
@@ -420,13 +420,13 @@ MAILSTREAM *pop3_open (MAILSTREAM *stream)
 	       (long) mail_parameters (NIL,GET_TRUSTDNS,NIL) ?
 	       net_host (LOCAL->netstream) : mb.host,
 	       net_port (LOCAL->netstream));
-      if (mb.tlsflag) strcat (tmp,"/tls");
+      if (mb.tlsflag) strcat (tmp,"/starttls");
       if (mb.tlssslv23) strcat (tmp,"/tls-sslv23");
       if (mb.tls1) strcat (tmp,"/tls1");
       if (mb.tls1_1) strcat (tmp,"/tls1_1");
       if (mb.tls1_2) strcat (tmp,"/tls1_2");
       if (mb.tls1_3) strcat (tmp,"/tls1_3");
-      if (mb.notlsflag) strcat (tmp,"/notls");
+      if (mb.notlsflag) strcat (tmp,"/nostarttls");
       if (mb.sslflag) strcat (tmp,"/ssl");
       if (mb.novalidate) strcat (tmp,"/novalidate-cert");
       if ((LOCAL->loser = mb.loser) != 0) strcat (tmp,"/loser");
@@ -578,7 +578,7 @@ long pop3_auth (MAILSTREAM *stream,NETMBX *mb,char *pwd,char *usr)
     }
     pop3_capa (stream,flags);	/* get capabilities now that TLS in effect */
   }
-  else if (mb->tlsflag) {	/* user specified /tls but can't do it */
+  else if (mb->tlsflag) {	/* user specified /starttls but can't do it */
     mm_log ("Unable to negotiate TLS with this server",ERROR);
     return NIL;
   }
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 74c97c3..e8145ae 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 427 2020-05-13 02:16:31
+Alpine Commit 428 2020-05-14 14:13:20
 ============= h_news =================
 <HTML>
 <HEAD>
@@ -21005,7 +21005,7 @@ An example might be:
 
 </DD>
 
-<DT>TLS</DT>
+<DT>STARTTLS</DT>
 <DD>
 This is a unary parameter indicating communication with the server must 
 take place over a TLS connection. If you use this parameter, Alpine will 
@@ -21024,7 +21024,7 @@ establish a secure connection using STARTTLS.
 considerations when you use this option.
 
 <P>
-<CENTER><SAMP>/tls</SAMP></CENTER>
+<CENTER><SAMP>/starttls</SAMP></CENTER>
 <P>
 
 </DD>
@@ -21277,7 +21277,8 @@ SSL protocols.
 modifier /tls with respect to the names of the encryption protocols, such 
 as TLS 1.2. The meaning of /tls is to start an encrypted connection to a 
 server after an insecure connection has been established, and we will 
-discuss this later in this help text. 
+discuss this later in this help text. The preferred way flag is to use
+/starttls, instead of /tls.
 
 <P>The best way to start an encrypted connection to a server is to use the 
 /ssl modifier. If your provider allows encrypted connections on port 993 
@@ -21294,13 +21295,13 @@ above.
 the port number in case it is different to the ones above.
 
 <P>If your service provider says to use STARTTLS, then you need to use the 
-/tls modifier. If your service provider gives you the option to use SSL or 
+/starttls modifier. If your service provider gives you the option to use SSL or 
 TLS and to use STARTTLS choose the secure port and choose the /ssl 
-modifier. This is because connections using the /tls modifier can be 
+modifier. This is because connections using the /starttls modifier can be 
 attacked and your username and password can be stolen by a hacker. The next
 paragraph describes in short how to do this.
 
-<P> When you use the /tls modifier, Alpine connects insecurely to the 
+<P> When you use the /starttls modifier, Alpine connects insecurely to the 
 remote server. Because the connection is insecure, it is possible that you 
 connect to a different server, which connects you to the real server. This 
 is called &quot;man-in-the-middle&quot; attack, and so your communication 
@@ -22546,11 +22547,11 @@ Normally, when a connection is made to the Smtp-Server Alpine will attempt
 to negotiate a secure (encrypted) session using Transport Layer Security (TLS).
 If that fails then a non-encrypted connection will be attempted instead.
 You may specify that a TLS connection is required if you wish.
-If you append &quot;/tls&quot; to the name then the connection will fail
+If you append &quot;/starttls&quot; to the name then the connection will fail
 instead of falling back to a non-secure connection.
 
 <P>
-<CENTER><SAMP>smtpserver.example.com/tls</SAMP></CENTER>
+<CENTER><SAMP>smtpserver.example.com/starttls</SAMP></CENTER>
 <P>
 
 
@@ -32630,10 +32631,10 @@ terminal being used.
 <H1>FEATURE: <!--#echo var="FEAT_try-alternative-authentication-driver-first"--></H1>
 
 This feature affects how Alpine connects to IMAP servers.
-It's utility has largely been overtaken by events,
+Its utility has largely been overtaken by events,
 but it may still be useful in some circumstances.
 If you only connect to modern IMAP servers that support
-&quot;TLS&quot; you can ignore this feature.
+&quot;STARTTLS&quot; you can ignore this feature.
 
 <P>
 Details:
@@ -32641,22 +32642,22 @@ Details:
 <P>
 By default, Alpine will attempt to connect to an IMAP server on the
 normal IMAP service port (143), and if the server offers &quot;Transport Layer
-Security&quot; (TLS) and Alpine has been compiled with encryption capability,
+Security&quot; (STARTTLS) and Alpine has been compiled with encryption capability,
 then a secure (encrypted) session will be negotiated.
 
 <P>
 With this feature enabled, before connecting on the normal IMAP port, Alpine
 will first attempt to connect to an alternate IMAP service port (993) used
 specifically for encrypted IMAP sessions via the Secure Sockets Layer
-(SSL) method.
+(SSL) or Transport Layer Security (TLS) method.
 If the SSL attempt fails, Alpine will then try the default
 behavior described in the previous paragraph.
 
 <P>
-TLS negotiation on the normal port is preferred, and supersedes the use of
-SSL on port 993, but older servers may not provide TLS support.
+STARTTLS negotiation on the normal port is preferred, and supersedes the use of
+SSL on port 993, but older servers may not provide STARTTLS support.
 This feature may be convenient when accessing IMAP servers that do not support
-TLS, but do support SSL connections on port 993.
+STARTTLS, but do support SSL or TLS connections on port 993.
 However, it is important to understand that with this feature enabled,
 Alpine will <EM>attempt</EM> to make a secure connection if that is possible,
 but it will proceed to make an insecure connection if that is the only
@@ -32671,14 +32672,14 @@ This feature interacts with some of
 the possible host/folder path specification flags as follows:
 
 <P>
-The <SAMP>/tls</SAMP> host flag, for example,
+The <SAMP>/starttls</SAMP> host flag, for example,
 
 <P>
-<CENTER><SAMP>{foo.example.com/tls}INBOX</SAMP></CENTER>
+<CENTER><SAMP>{foo.example.com/starttls}INBOX</SAMP></CENTER>
 <P>
 will over-ride this feature for the specified host by bypassing the
-SSL connection attempt.
-Moreover, with <SAMP>/tls</SAMP> specified,
+SSL or TLS connection attempt.
+Moreover, with <SAMP>/starttls</SAMP> specified,
 the connection attempt will fail if the
 service on port 143 does not offer TLS support.
 
@@ -32688,8 +32689,8 @@ The <SAMP>/ssl</SAMP> host flag, for example,
 <P>
 <CENTER><SAMP>{foo.example.com/ssl}INBOX</SAMP></CENTER>
 <P>
-will insist on an SSL connection for the specified host,
-and will fail if the SSL service on port 993 is not available.
+will insist on an SSL or TLS connection for the specified host,
+and will fail if the SSL or TLS service on port 993 is not available.
 Alpine will not subsequently retry a connection
 on port 143 if <SAMP>/ssl</SAMP> is specified.