Do we really want to have the legacy provider as opt-in only?

Tomas Mraz tmraz at redhat.com
Mon Jul 15 12:58:42 UTC 2019


Hi everyone,

if the Subject was already fully discussed and thought through then
please disregard this but otherwise I'd like this e-mail to be a
starting point for discussion.

I suppose the current intention is to make the legacy provider as opt-
in only by either application explicitly loading it or by having it
added to the default configuration file.

Is there anywhere any document which categorizes the current set of
algorithms with which are considered legacy and which not?

I understand that for the current digest algos implemented in the
legacy provider the problem might not be as pressing as these
algorithms are not widely used however which other algorithms are going
to be moved into the legacy provider?

Wouldn't it be better to make the legacy provider opt-out? I.E. require
explicit configuration or explicit API call to not load the legacy
provider.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




More information about the openssl-project mailing list