[openssl] master update

beldmit at gmail.com beldmit at gmail.com
Thu Aug 12 08:00:28 UTC 2021


The branch master has been updated
       via  a5f4099d275520caf90a28a88e889cb36683b412 (commit)
      from  dbd0244a16ebf577401e92cce374467dbc3226df (commit)


- Log -----------------------------------------------------------------
commit a5f4099d275520caf90a28a88e889cb36683b412
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Tue Aug 10 15:04:37 2021 +0200

    Disclaimer about the default provider activation added to config
    
    Fixes #16249
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16280)

-----------------------------------------------------------------------

Summary of changes:
 apps/openssl-vms.cnf | 8 ++++++++
 apps/openssl.cnf     | 8 ++++++++
 doc/man5/config.pod  | 9 +++++++++
 3 files changed, 25 insertions(+)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 4d96a1f32d..59c6776a1e 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -60,6 +60,14 @@ default = default_sect
 # included fipsmodule.cnf.
 # fips = fips_sect
 
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence applications depending on
+# OpenSSL may not work correctly which could lead to significant system
+# problems including inability to remotely access the system.
 [default_sect]
 # activate = 1
 
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index ffb424a871..03330e0120 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -60,6 +60,14 @@ default = default_sect
 # included fipsmodule.cnf.
 # fips = fips_sect
 
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence applications depending on
+# OpenSSL may not work correctly which could lead to significant system
+# problems including inability to remotely access the system.
 [default_sect]
 # activate = 1
 
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 7bd603a2cc..77a8055e81 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -273,6 +273,15 @@ significant.
 All parameters in the section as well as sub-sections are made
 available to the provider.
 
+=head3 Default provider and its activation
+
+If no providers are activated explicitly, the default one is activated implicitly.
+See L<OSSL_PROVIDER-default(7)> for more details.
+
+If you add a section explicitly activating any other provider(s),
+you most probably need to explicitly activate the default provider,
+otherwise it becomes unavailable in openssl. It may make the system remotely unavailable.
+
 =head2 EVP Configuration
 
 The name B<alg_section> in the initialization section names the section


More information about the openssl-commits mailing list