aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL
diff options
context:
space:
mode:
Diffstat (limited to 'README.SSL')
-rw-r--r--README.SSL17
1 files changed, 10 insertions, 7 deletions
diff --git a/README.SSL b/README.SSL
index dfad1529..c7c77452 100644
--- a/README.SSL
+++ b/README.SSL
@@ -21,8 +21,12 @@ below and in the manual).
fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
-Fetchmail 6.4.38 supports OpenSSL 3.0.8 and 1.1.1t and WolfSSL 5.5.3 or newer,
-including OpenSSL 3.1.0.
+Fetchmail 6.4.38 supports OpenSSL 3.0.9, 3.1.4, and WolfSSL 5.6.6 or newer,
+and might support OpenSSL 3.2.0 or newer.
+Fetchmail may compile against end-of-life (EOL) OpenSSL 1.x.y versions,
+but these are unsupported by the fetchmail maintainer.
+It is expected that the user only uses a supported SSL library that receives
+security fixes and is kept up to date.
Note that WolfSSL 5 is a bit less flexible about its trust store,
see INSTALL chapter 2.1 for details.
@@ -31,16 +35,16 @@ Note that many messages printed by fetchmail will print "OpenSSL"
even if wolfSSL is being used. Reason is that fetchmail uses
wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API.
- -- Matthias Andree, 2023-03-18
+ -- Matthias Andree, 2024-01-31
Quickstart
----------
-Use an up-to-date release of OpenSSL v1.1.1 or v3.0/v3.1 or wolfSSL 5.5 or
+Use an up-to-date release of OpenSSL v3.0/v3.1 or wolfSSL 5.5 or
newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions
are unsupported upstream, and fetchmail rejects versions before v1.0.2f and
-warns about versions before v1.1.1q or 3.0.7.
+warns about versions before 3.0.13.
wolfSSL needs to be configured with --enable-opensslall --enable-harden,
else some required OpenSSL APIs are missing, especially for SNI (server name
@@ -74,8 +78,7 @@ or these options in the rcfile (after the respective "user"... options)
sslproto tls1.2+ sslcertck
-With up to date OpenSSL libraries (1.1.1 or newer), and with recent
-software on the server, you can alternatively configure tls1.3+.
+With recent software on the server, you can alternatively configure tls1.3+.
For some older services, you may need to use tls1.1+ or tls1+ for compatibility
instead of the tls1.2+ above. In such situations, you should ask the service
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 14:57:14 +0000