[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Benjamin Kaduk
bkaduk at akamai.com
Fri Nov 13 20:51:14 UTC 2015
On 11/13/2015 02:20 PM, Daniel Kahn Gillmor wrote:
> On Fri 2015-11-13 14:48:41 -0500, Viktor Dukhovni wrote:
>> The simplest approach is to remove ciphersuites from the SSL/TLS
>> code (effectively making them unavailable even via ALL:COMPLEMENTOFALL),
>> but leave the underlying crypto in the library.
>>
>> Similarly, one might remove algorithms from S/MIME, CMS, ... while
>> leaving them in the base crypto library.
> FWIW, this is one of the consequences of OpenSSL providing both
> libcrypto and libssl. It would be nice from a maintenance perspective
> to be able to decouple the two more cleanly.
>
> I definitely like Viktor's suggestion of removing known-bad mechanisms
> from libssl. It's harder to know what to do with libcrypto.
I am hopeful that some things can still be done with libcrypto, but
recognize that that may be overly optimistic.
> Unfortunately, OpenSSL has lots of bindings to other languages, so the
> binding authors themselves might say "we use these functions and offer
> them to our users", which means there's a chained set of dependencies
> to consider for proper deprecation. Will removal of these primitives
> mean that the language bindings won't build against newer versions of
> OpenSSL?
>
Yes. https://rt.cpan.org/Public/Bug/Display.html?id=106180 is just one
case of many, I fear...
-Ben
More information about the openssl-dev
mailing list