Does algorithm fetching falls back if provider does not support algorithm parameters?

Tomas Mraz tomas at
Mon Apr 3 06:51:14 UTC 2023

This is a well-known weakness of the provider implementation selection
method as we currently implement it in libcrypto.

Yes, in such case as you've described the implementation used will be
the one from the provider "A" and that means using 4096 bit RSA will

It would require much more fine-grained model of algorithm properties
to be implemented across providers. However it would also make the
algorithm implementation selection much more complicated from the
user's perspective which might not be desirable.

Tomas Mraz, OpenSSL

On Mon, 2023-04-03 at 01:19 +0000, Afshin Pir wrote:
> Hi all,
> I wonder what happens if the fetched algorithm does not support
> algorithm parameters. For example, let’s say we have provider “A”
> which supports RSA up to 2048 bit. Now we load provider “A” and
> default provider (or fips provider) and use querystring “?provider=a”
> to give priority to provider “A”. Now if we try to create an RSA
> keypair or do a signature up to 2048-bit, provider “A” will be used,
> and everything works just fine. But what happens if we try to use RSA
> 4096? Provider “A” does not support importing or generating this bit
> size and corresponding methods fails. Now will loading or generating
> falls back on default or fips provider which is already loaded in the
> context?
> Best Regards,
> Afshin
> This email is confidential and may contain information subject to
> legal privilege. If you are not the intended recipient please advise
> us of our error by return e-mail then delete this email and any
> attached files. You may not copy, disclose or use the contents in any
> way. The views expressed in this email may not be those of Gallagher
> Group Ltd or subsidiary companies thereof.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list