openssl 3.0.0 legacy provider won't lload via config file

Kory Hamzeh kory at
Mon Sep 13 23:13:31 UTC 2021

I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything seems to be working fine, except for the fact that I cannot get OpenSSL to load the legacy module when I configure /ssl/openssl.cnf as such. I can, however, load the module explicitly at run time.

This is a diff of my config file against a stock openssl.cnf.dist:

--- openssl.cnf.dist	2021-09-13 10:04:16.287697686 -0700
+++ openssl.cnf	2021-09-13 10:27:23.595752186 -0700
@@ -56,6 +56,7 @@
 # List of providers to load
 default = default_sect
+legacy = legacy_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -69,8 +70,10 @@
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
-# activate = 1
+activate = 1
+activate = 1
You’ll notice the only changes I made was to activate the default module, define a legacy section and activate it also.

This is the code snippet that gets called from main():

       OSSL_PROVIDER *legacy;
       legacy = OSSL_PROVIDER_load(NULL, "legacy");
       if (legacy == NULL) {
           printf("Failed to load Legacy provider\n");
       if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
	       printf("Error: crypto_init failed\n");

  if(!(e = EVP_CIPHER_CTX_new())) {
    printf("Could not create EVP instance\n");
    return -1;

  if((ret = EVP_DecryptInit_ex(e, EVP_des_ecb(), NULL, key, NULL)) != 1) {
    printf("DecryptInit failed\n");
    return -1;    

The EVP_DecryptInit_ex() fails if I compile without -DLOAD_PROVIDER. The other flag, CRYPTO_INIT does not make any difference. What is puzzling is that I can build OpenSSL natively on an x86_64 machine and using the same openssl.cnf file, the code above works and the legacy module loads without the code to explicitly load it.

Any thoughts on what I may have done wrong or how to track this down?


More information about the openssl-users mailing list