[openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

[Emilia Käsper]

Hi all,

We are considering removing from OpenSSL 1.1 known broken or outdated
cryptographic primitives. As you may know the forks have already done this
but I'd like to seek careful feedback for OpenSSL first to ensure we won't
be breaking any major applications.

These algorithms are currently candidates for removal:

CAST
IDEA
MDC2
MD2 [ already disabled by default ]
RC5 [ already disabled by default ]
RIPEMD
SEED
WHIRLPOOL
ALL BINARY ELLIPTIC CURVES

My preference would be to remove these algorithms completely (as in, delete
the code). Disabled-by-default code will either be re-enabled by distros
(if there's widespread need for it - in which case we might as well leave
it in) or will be poorly tested and is likely to just silently rot and
break. This code is bloat and maintentance burden for us - my hope is that
much of this code is effectively dead and can be removed.

*Are you aware of any mainstream need to continue supporting these
algorithms in OpenSSL 1.1?* Note that an older OpenSSL library or binary,
or a standalone implementation or another crypto toolkit can always be used
to continue supporting a legacy standalone application, or to decrypt
ciphertext from the distant past. I am looking for use cases that could
cause e.g. interop breakage between new and old peers, or major pain to
distro end-users.

These algorithms are obsolete but removing them doesn't look feasible:

BLOWFISH - probably still in use though I don't know where exactly?
MD4 - used in NTLM
RC2 - used in PKCS#12

*Did I miss anything from the list?*

Cheers,
Emilia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151113/deda49b7/attachment.html>