Do we really want to have the legacy provider as opt-in only?

Matt Caswell matt at openssl.org
Mon Jul 15 14:22:21 UTC 2019



On 15/07/2019 15:15, Tomas Mraz wrote:
> On Mon, 2019-07-15 at 14:48 +0100, Matt Caswell wrote:
>>
>> On 15/07/2019 14:43, Tomas Mraz wrote:
>>> On Mon, 2019-07-15 at 14:19 +0100, Matt Caswell wrote:
>>>> On 15/07/2019 13:58, Tomas Mraz wrote:
>>>>>
>>>> IMO this is a major release and therefore we should be taking the
>>>> opportunity to
>>>> encourage applications to move away from these legacy algorithms.
>>>> That's kind of
>>>> the point of having a legacy provider in the first place. Most
>>>> applications
>>>> should not need to use these legacy algos so in my mind it is a
>>>> sensible default
>>>> to not have them available. Only if you *really* need them should
>>>> you
>>>> load the
>>>> legacy provider.
>>>
>>> OK, but then for the applications that *really* need the legacy
>>> algorithms the move to 3.0.0 will definitiely not be just a
>>> recompilation.
>>
>> It can still be a simple recompilation even in this case - combined
>> with a
>> configuration change.
> 
> This might be fine for a special build of openssl included within an
> application. But what would you recommend for a distribution wide
> openssl?
> 
> If the legacy provider is not supposed to be loaded for normal
> applications then the system-wide configuration file must not load the
> provider. And then you have the special legacy apps that need it and so
> they need to explicitly load the legacy provider. So saying this is
> "just recompliation and configuration change" is at least somewhat
> oversimplified.

Agreed. There will certainly be cases where code change *is* required. I'm just
saying that not all apps will have to do this.

> 
> But I am OK with that. I'm just saying it should be better advertised
> and that internally openssl should not use the "load legacy provider by
> having it in default config file" to actively encourage the "load
> legacy provider only if you *really* need it" behavior.
> 

Also agreed. I don't think we should load it in the default config file. We
*should* provide an option to the apps to enable it to be loaded on a
case-by-case basis where appropriate.

This will certainly need some explaining at some point. As will the whole
concept of providers and how the new architecture works.  I expect to see
(eventually) blog posts/wiki pages/man pages/CHANGES entries about the whole
provider thing - and that will have to include the concept of the legacy provider.

Matt


More information about the openssl-project mailing list