[openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Loganaden Velvindron
loganaden at gmail.com
Sun Nov 15 10:24:02 UTC 2015
On Sun, Nov 15, 2015 at 8:48 AM, pl <pl at artisanlogiciel.net> wrote:
> On 14/11/2015 18:32, Viktor Dukhovni wrote:
>> On Sat, Nov 14, 2015 at 07:32:33AM +0000, Peter Waltenberg wrote:
>>
>>> I also can't see any point expunging old algorithms from the sources,
>>> making them not build by default should be enough.
>> It is difficult enough to maintain code that is typically built,
>> dead code is even harder to keep correct. And what are distributions
>> of the library to do? Break a lot of customer code by shipping
>> with the algorithms disabled? Or re-enable compilation?
>>
>>> The only thing I would suggest is dropping assembler support for
>>> anything that's been retired, just to cut the maintenance effort / risk
>>> of breakage. If it's legacy only, performance shouldn't be an issue.
>> That probably makes more sense. Drop associated SSL/TLS ciphersuite
>> codepoints and drop assembly support (if any). Leave the C
>> implementation in libcrypto to support legacy "data at rest"
>> applications.
>>
>> The proposed list was:
>>
>> CAST
>> IDEA
>> MDC2
>> MD2 [ already disabled by default ]
>> RC5 [ already disabled by default ]
>> RIPEMD
>> SEED
>> WHIRLPOOL
>> ALL BINARY ELLIPTIC CURVES
>>
Perhaps, it might be worth looking at what LibreSSL has already
removed without affecting their 3rd party packages ?
More information about the openssl-dev
mailing list