[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Stefan.Neis at t-online.de
Stefan.Neis at t-online.de
Fri Nov 13 17:08:04 UTC 2015
Hi,
> We are considering removing from OpenSSL 1.1 known broken
> or outdated cryptographic primitives. As you may know the forks
> have already done this but I'd like to seek careful feedback for
> OpenSSL first to ensure we won't be breaking any major applications.
[...]
> My preference would be to remove these algorithms completely
> (as in, delete the code).
>From the formal[istic] point of view, I'd suggest to follow the way
many libraries use for API changes, i.e. to only remove the
algorithms that currently are already disabled by default and only
disable the rest (clearly stating the intention of removing them in
the next release), but still keep if for now. So users get a fair
warning and a timeframe for "fixes", before things are finally
removed.
OTOH, crypto algorithms aren't like "normal APIs", so a wake-up
call saying "if you still use those outdated algorithms, fix it _now_"
(as it's no longer supported) might even be a good thing...
> Did I miss anything from the list?
Since you mentioned RC2 and RC5, what about the "officially
deprecated" RC4? (although it seems "less outdated" than
some of the others...). Maybe at least have an option to
disable it?
Regards,
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151113/538c6413/attachment-0001.html>
More information about the openssl-dev
mailing list