[openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Jeffrey Walton noloader at gmail.com
Fri Nov 13 18:24:26 UTC 2015


> ALL BINARY ELLIPTIC CURVES

This one may be premature.

I understand the TLS WG is moving against it. However, I am aware of
implementations of Shoup's ECIES, and they, in turn, depend on
OpenSSL. I don't know if the ECIES implementations rely solely on
prime fields or not, however.

> BLOWFISH - probably still in use though I don't know where exactly?

Linux password files and associated tools, like John the Ripper (JtR).

OpenSSL is a good toolkit for research purposes. But if research is
not a goal, then that's understandable. There are other crypto
libraries that include research as a goal.

Jeff

On Fri, Nov 13, 2015 at 8:40 AM, Emilia Käsper <emilia at openssl.org> wrote:
> Hi all,
>
> We are considering removing from OpenSSL 1.1 known broken or outdated
> cryptographic primitives. As you may know the forks have already done this
> but I'd like to seek careful feedback for OpenSSL first to ensure we won't
> be breaking any major applications.
>
> These algorithms are currently candidates for removal:
>
> CAST
> IDEA
> MDC2
> MD2 [ already disabled by default ]
> RC5 [ already disabled by default ]
> RIPEMD
> SEED
> WHIRLPOOL
> ALL BINARY ELLIPTIC CURVES
>
> My preference would be to remove these algorithms completely (as in, delete
> the code). Disabled-by-default code will either be re-enabled by distros (if
> there's widespread need for it - in which case we might as well leave it in)
> or will be poorly tested and is likely to just silently rot and break. This
> code is bloat and maintentance burden for us - my hope is that much of this
> code is effectively dead and can be removed.
>
> Are you aware of any mainstream need to continue supporting these algorithms
> in OpenSSL 1.1? Note that an older OpenSSL library or binary, or a
> standalone implementation or another crypto toolkit can always be used to
> continue supporting a legacy standalone application, or to decrypt
> ciphertext from the distant past. I am looking for use cases that could
> cause e.g. interop breakage between new and old peers, or major pain to
> distro end-users.
>
> These algorithms are obsolete but removing them doesn't look feasible:
>
> BLOWFISH - probably still in use though I don't know where exactly?
> MD4 - used in NTLM
> RC2 - used in PKCS#12
>
> Did I miss anything from the list?


More information about the openssl-users mailing list