Using msmtp with OpenSSL is discouraged, please use GnuTLS
It is recommended to use msmtp with GnuTLS instead of OpenSSL. The upcoming version of msmtp will not use OpenSSL automatically anymore, and if you choose it manually, you will get a warning.
The reason for this is that the OpenSSL-related code in msmtp is essentially
unmaintained. I don't work on it myself anymore, and the last time somebody
sent a patch was 8 years ago.
As a result, if you use msmtp with OpenSSL today, you don't get support for
TLS SNI, --tls-priorities, --tls-crl-file, or
--tls-min-dh-prime-bits.
The code is hard to read, maintain, and improve due to severe limitations in the usability and documentation of the OpenSSL API. A few examples:
- With OpenSSL, we need to write our own functions to verify host names and convert
ASN1 times to
time_t. This is insane, as both actions are required by virtually all TLS clients and are hard to get right, see e.g. here and here. Any usable TLS library must provide such functions. I understand that OpenSSL 1.1.0 finally added support for host name verification, but it still leaves you alone with the terrible ASN1 time representation. - Just initializing the library is a complex topic. The OpenSSL wiki has a 1800 word long Wiki page on library initialization. Again, this is insane. If any explicit initialization is required at all, it should be done with one single simple function call.
- We have a function in msmtp that does nothing but try to find out why an OpenSSL input/output error occurred. It has 50 lines of code and has to consult three different error codes from various parts of the OpenSSL API to do just that. Insane.
Complexity is the enemy of security. I have given up on OpenSSL years ago and will not work to improve and update the OpenSSL-related code in msmtp. If someone wants to do that work, I will accept patches, but I will continue to recommend using GnuTLS instead. If the OpenSSL support in msmtp remains in its current state, it will eventually be removed.