[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Nov 13 21:16:56 UTC 2015
On Fri, Nov 13, 2015 at 03:20:58PM -0500, Daniel Kahn Gillmor wrote:
> Perhaps it would be useful to gather data on this by looking at large
> codebases (e.g. large linux distros like fedora or debian) to see
> whether these particular functions of libcrypto are being used or linked
> to.
>
> I haven't had the time to do a full review here, but i've found
> https://codesearch.debian.net/ useful for this kind of API
> deprecation/removal in the past.
This is very difficult, because most applications use libcrypto
algorithms indirectly, via EVP_get_cipherbyname(), EVP_get_digestbyname()
and so on. So the code will link, but there'll be runtime errors
due to missing ciphers or digests.
Even worse, we will find that things like Python, Perl, ... provide
EVP wrappers, and then it is a mystery which scripts depend on
obsolete ciphers.
At some point people will just need to port their scripts. This
does present rather a quandry for distributions shipping Perl,
Python, ... as to which OpenSSL to link to, if newer versions omit
base algorithms. Actually deleting algorithms is *very* difficult.
Fixing the SSL layer is much more simple, because algorithm
negotiation (i.e. algorithm agility, which many folks like to knock)
means that TLS can move on much more easily that some random
application that needs to read 20-year-old backups.
--
Viktor.
More information about the openssl-dev
mailing list