Re: [Fetchmail-users] OAUTH2 Dilemma

[Matthias A. <mat...@gm...>]

Am 27.03.22 um 16:54 schrieb Dennis Putnam:
> On 3/27/2022 7:42 AM, Matthias Andree wrote:
>> Am 26.03.22 um 21:20 schrieb Dennis Putnam:
>>> It appears Fetchmail 7 requires TLS 1.3. I am running CentOS 7 and the
>>> support folks tell me that RedHat does not intend to add TLS 1.3 to
>>> CentOS. I wonder if it will be added to RHEL? Anyway, that means I am
>>> stuck using Fetchmail 6 for the foreseeable future. Before I go to the
>>> trouble, do the OAUTH2 patches for Fetchmail 6 also require TLS 1.3?
>>> TIA.
>>>
>> Dennis,
>>
>> that's a bit of a letdown although I understand that in a stable CentOS
>> 7 series they don't want major changes, and TLS v1.3 in itself is one,
>> so you are stuck between a rock and a hard place... but you can work
>> yourself out of this.
>>
>> You can install the latest OpenSSL 3.0.x to a separate directory,
>> WARNING UNTESTED because I do not have CentOS 7,
>> but somewhere along the lines of but maybe needs tweaking:
>> unpack OpenSSL 3.0.x, then
>> ./config --prefix /opt/openssl3 --openssldir=/usr/lib64
>> -Wl,-rpath=/opt/openssl3/lib
>> -- and then point your fetchmail 7 alpha build there to use it, with
>> ./configure --with-ssl=/opt/openssl3
>>
>> The additional burden on you will then be to watch future OpenSSL 3.0.x
>> releases and upgrade your /opt/openssl3 should security fixes become
>> necessary in some future OpenSSL version, so take notes of what worked
>> for you if you had to tweak things.
>>
>> Hope that helps.
>> Matthias
>>
>
> Hi Matthias,
>
> Thanks for that. So if I understand, it is the need for openssl 3 that
> is the roadblock not the OS itself.

My proposal was to install the latest stable OpenSSL into a separate
place and tell fetchmail where to find it so you do not disturb your
OS's installation in places that other applications would rely on. You
are trying to unite two separate worlds, the minimally-changing
venerable long-term-support CentOS 7 for stability, and on the other
hand you are trying the future still-under-development fetchmail - that
brings the need to update/install requisites.

Answering the earlier question of yours that I missed earlier on: I
don't know what shape the fetchmail 6.x patches are in and I won't care.
OAuth2 is a fetchmail 7 feature. if it will make the release.

Fetchmail 6.4.x is the last minor series to support OpenSSL 1.0.2.
Fetchmail 6.5 will also require TLSv1.3.
It makes no sense for me to let a future fetchmail version carry
compatibility code for working with EOL requisite packages such as
OpenSSL 1.0.2whatever that will never be packaged by any distributor
along with a fetchmail 6.5 or 7.0 version, so I have removed that
OpenSSL 1.0.x stuff, and that is increasingly burdensome to test and
support.