Do we really want to have the legacy provider as opt-in only?

Kurt Roeckx kurt at
Tue Jul 16 18:19:10 UTC 2019

On Mon, Jul 15, 2019 at 02:58:42PM +0200, Tomas Mraz wrote:
> Wouldn't it be better to make the legacy provider opt-out? I.E. require
> explicit configuration or explicit API call to not load the legacy
> provider.

I'm not even sure why they need to move to a different provider
(at this time). Instead I think we should have a mechanism to
enable/disable the individual algorithms, and still have
everything in the default provider, possibly disabled by default.

At some point in the future we could remove the code from OpenSSL,
and move it to different repository that only contains such legacy
code that we no longer ship as part of OpenSSL.


More information about the openssl-project mailing list