Menu
▾
▴
Re: [Fetchmail-users] ANNOUNCE: fetchmail 6.4.25 is available (documentation & translation updates, wolfSSL 5.0, fix to OpenSSL 1.0.2 support for Let's Encrypt Sites, configure updates)
|
From: Matthias A. <mat...@gm...> - 2021-12-10 21:12:02
|
Am 10.12.21 um 20:59 schrieb Gene Heskett: > This reminds me of the compuserve debacle over gif, so we invented png. > Its about time a new ssl was written? Gene, that was quick... Several years ago I was exploring alternatives, because OpenSSL at the time was massively lacking in instructive and reference documentation, but alternative libraries would have meant rewriting fetchmail's code massively. However, many other libraries were slow to adopt new protocol standards (some still do not offer TLS 1.3), or were big-footprint and likewise difficult with documentation at the time. Then, in the wake of the heartbleed bug[1][2], LibreSSL was forked off of OpenSSL, and OpenSSL extended their development resources, and has shaped up nicely. About 1.1.0 I have largely forgotten, yet OpenSSL 1.1.1 to me from the client application programmer's perspective seems more mature, and OpenSSL 3.0 appears likewise mature, there were only few minute changes required to make fetchmail play nice with OpenSSL 3.0. LibreSSL is a different story. It makes a mess of the version numbers, does not fully render the OpenSSL API, and it has its quicks. For fetchmail it is by and large a no-go license-wise anyways, unless the operating system ships it (I only know of OpenBSD that does - a separate package that gets installed later does not fit the bill), it is infeasible. wolfSSL 5.0.0 was an experiment - it was a library proposing an OpenSSL-compatible API wrapper and GNU General Public License; it was one Saturday to get the adaptations done, issues reported, and a few more evening hours of polishing the configure.ac file. There is one quirk we are working out and that fetchmail is working around already, but I do not know how robust it would be for future wolfSSL versions. So, with OpenSSL 3.0 out, and 1.1.1 also a quite reasonable implementation, I do not feel a strong urge to switch. 3.0 no longer requires the advertising, and its Apache license is compatible with the GNU GPL v3, so with OpenSSL having matured and wolfSSL as an alternative also under alternative license. [1] https://heartbleed.com/ [2] https://en.wikipedia.org/wiki/Heartbleed |
