How long Legacy providers supported?

Tomas Mraz tomas at openssl.org
Mon Jul 24 13:51:33 UTC 2023


Yes, for that reason I do not expect algorithm support to be completely
removed from OpenSSL at all maybe with an exception of some totally
unused odd legacy algorithms. MDC2? MD2? RC2? RC5? Maybe. Maybe not.

However moving things from the default provider to legacy can
definitely happen on major releases.

Tomas Mraz

On Mon, 2023-07-24 at 14:54 +0200, Hubert Kario wrote:
> The big problem is that the legacy algorithms may be necessary to
> access
> offline backups. Data that may be 10, 15, 25 years old...
> Similarly, you may have signatures made as long time ago, but by use
> of
> timestamping (I suggest reading about archival variants of PAdES,
> CAdES,
> or XAdES) it allows us to trust 1024 bit DSA signatures or 768 bit
> RSA
> signatures, because we can be sure they were made in the middle of
> 1990's.
> 
> On Monday, 24 July 2023 09:59:20 CEST, Tomas Mraz wrote:
> > If you're talking about the algorithms in the legacy provider (and
> > not
> > the deprecated legacy API support) then there are no definitive
> > plans
> > when algorithms that are placed in that provider will be removed
> > completely.
> > 
> > The legacy provider itself is not going away at all as more
> > algorithms
> > will be moved to it in future (I assume DSA and SHA1 would be one
> > of
> > those). However eventually some algorithms that are in it currently
> > might be completely dropped.
> > 
> > Every removals of algorithms provided by a particular provider
> > (i.e.,
> > default in case of migration of for example DSA to the legacy
> > provider,
> > or legacy in case we remove for example MD2 from it) can happen
> > only on
> > a major version boundary. So 4.0 would be the earliest possible
> > time.
> > However it does not mean that it must happen at 4.0 and not 5.0 or
> > any
> > time later.
> > 
> > We also do not have any timeframe for the 4.0 release so the only
> > answer I can give you is that the removals of existing legacy
> > algorithms won't happen any time soon (like 1-2 years from now).
> > 
> > Tomas Mraz, OpenSSL
> > 
> > On Mon, 2023-07-24 at 12:47 +0530, Ishani wrote:
> > > Hi ,
> > >   
> > >     I'm aware that in future legacy providers will not be
> > > supported
> > > and we must plan to migrate .
> > > 
> > > but I would like to know how long Legacy providers will be
> > > supported ...
> > 
> 

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list