[Pkg-openssl-devel] Bug#965041: Bug#965041: Bug#965041: libssl3: Please stop building legacy provider

Kurt Roeckx kurt at roeckx.be
Sun Sep 18 20:06:59 BST 2022


On Sun, Sep 18, 2022 at 07:09:05PM +0200, Sebastian Andrzej Siewior wrote:
> On 2020-07-16 08:46:43 [+0200], Kurt Roeckx wrote:
> > On Thu, Jul 16, 2020 at 03:57:17AM +0100, Dimitri John Ledkov wrote:
> > > 
> > > openssl package could ship `.include /etc/ssl/providers.d/` in ssl.conf.
> > 
> > That would actually make sense.
> > 
> > We could use the include thing to ship a config file for the
> > fips module with the correct hash in it.
> 
> Kurt, what do we do here?
> Split /usr/lib/*/ossl-modules/legacy.so into its own package which is
> part of src:openssl and adds a config snippet.

I'm not sure that having the legacy provider automatically enabled by
default when it's installed is a good idea. That means once it's
installed, all applications have it by default. I think it needs to be
enabled per application.

I think the same goes for fips. Only applications that need it, and
probably support a library context should enable it. I don't know enough
details currently about fips, but I think applications need to provider
an approved RNG, and /dev/random is no longer acceptable.
But upgrading the fips provider should be as easy as possible,
just installing a new version. So I think we need to provider at least
some config file should have the hash in it.


Kurt



More information about the Pkg-openssl-devel mailing list