On 11/13/2015 02:20 PM, Daniel Kahn Gillmor wrote: > On Fri 2015-11-13 14:48:41 -0500, Viktor Dukhovni wrote: >> The simplest approach is to remove ciphersuites from the SSL/TLS >> code (effectively making them unavailable even via ALL:COMPLEMENTOFALL), >> but leave the underlying crypto in the library. >> >> Similarly, one might remove algorithms from S/MIME, CMS, ... while >> leaving them in the base crypto library. > FWIW, this is one of the consequences of OpenSSL providing both > libcrypto and libssl. It would be nice from a maintenance perspective > to be able to decouple the two more cleanly. > > I definitely like Viktor's suggestion of removing known-bad mechanisms > from libssl. It's harder to know what to do with libcrypto.
I am hopeful that some things can still be done with libcrypto, but recognize that that may be overly optimistic. > Unfortunately, OpenSSL has lots of bindings to other languages, so the > binding authors themselves might say "we use these functions and offer > them to our users", which means there's a chained set of dependencies > to consider for proper deprecation. Will removal of these primitives > mean that the language bindings won't build against newer versions of > OpenSSL? > Yes. https://rt.cpan.org/Public/Bug/Display.html?id=106180 is just one case of many, I fear... -Ben _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev