[openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

Jeffrey Walton noloader at gmail.com
Tue Nov 17 18:00:44 UTC 2015

On Tue, Nov 17, 2015 at 7:21 AM, Emilia Käsper <emilia at openssl.org> wrote:
> On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> > MD2 - (The argument that someone somewhere may want to keep verifying
>> > old
>> > MD2 signatures on self-signed certs doesn't seem like a compelling
>> > enough
>> > reason to me. It's been disabled by default since OpenSSL 1.0.0.)
>> > ...
>> Apple still provides two Verisign certificates using
>> md2WithRSAEncryption. Confer,
>> https://support.apple.com/en-us/HT203065.
> Setting aside the debate of whether verifying trust store signatures is
> useful, whether verifying MD2 signatures has any practical security value,
> or whether OpenSSL + iOS is a meaningful combination:
> This is iOS7. The current release is iOS9 (trust store here:
> https://support.apple.com/en-us/HT205205, MD2 certs are gone).
> Arguments like this illustrate a fundamental misunderstanding in this
> thread. We are not pulling the carpet from any users TODAY. We are asking
> whether there are applications that will need this code 2..3..5 years down
> the line.

My bad... I was not arguing either way. I was just presenting facts.

Also, if OpenSSL requires iOS 9 or above, then its setting policy for users.

I still have iOS 6, 7 and 8 devices because (1) some of my hardware is
old and abandoned by Apple (they are trying to set policy, too, in an
effort to boost sales). (2) I dislike the "cartoony" interface of iOS
7 and above. (3) I have down level OS X operating systems (due to
operational requirements and personal taste), and they can't talk to
iOS 8 or 9 devices.


More information about the openssl-users mailing list