Do we really want to have the legacy provider as opt-in only?

Matt Caswell matt at
Tue Jul 16 18:24:40 UTC 2019

On 16/07/2019 19:19, Kurt Roeckx wrote:
> On Mon, Jul 15, 2019 at 02:58:42PM +0200, Tomas Mraz wrote:
>> Wouldn't it be better to make the legacy provider opt-out? I.E. require
>> explicit configuration or explicit API call to not load the legacy
>> provider.
> I'm not even sure why they need to move to a different provider
> (at this time). Instead I think we should have a mechanism to
> enable/disable the individual algorithms, and still have
> everything in the default provider, possibly disabled by default.
> > At some point in the future we could remove the code from OpenSSL,
> and move it to different repository that only contains such legacy
> code that we no longer ship as part of OpenSSL.

I think the reasoning behind having the legacy provider was as a first step to
doing just that, i.e. we move the legacy stuff to a legacy provider and then at
some later point we could choose to separate out the legacy provider as a
separate thing which we don't release with mainline OpenSSL - but if people want
to add it back in then they download and build the legacy provider separately
and just drop it back in and it automatically becomes available again.


More information about the openssl-project mailing list