Bug#1011249: cyrus-sasl2: broken DIGEST-MD5 with openssl3

[Bastian Germann <bage@debian.org>]

X-Debbugs-Cc: debian-devel@lists.debian.org

Am 18.05.22 um 22:00 schrieb Andreas Hasenack:
> cyrus-sasl2 2.1.28 has commit ...  which makes it use openssl
> for RC4.
>
> debian/sid now has openssl3, which deprecated RC4 and made it part of
> the legacy provider. Which means that by default it won't be
> available, unless the application enables the legacy provider, or if
> said provider is enabled via a system-wide openssl configuration.
>
> Those two facts combined mean digest-md5, which uses RC4 if the SSF
> layer is set to use encryption, is currently unavaliable to
> applications using the cyrus-sasl2 library, such as openldap:
>
> ...
> cyrus-sasl2 upstream landed[4] a few commits to address this and other
> things, among which:
>
> ...
> 4. https://github.com/cyrusimap/cyrus-sasl/pull/653/commits

Should I take the upstream sasl patches which enable DIGEST-MD5 again or is
it time to drop that mechanism, which is obsoleted by RFC6331 for 11 years?

What would I need to do on dropping it? An entry in NEWS, notifying the
release team, something else?

I would love to get some insight if anybody still uses DIGEST-MD5 or has
an opinion about this.