openssl3/contribs10/0024-load-legacy-prov.patch

diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov  2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf      2021-09-09 12:12:33.947482500 +0200
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
 [openssl_init]
 providers = provider_sect
 # Load default TLS policy configuration
 ssl_conf = ssl_module
 
-# List of providers to load
-[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
 
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl.  As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
-[default_sect]
-# activate = 1
+[provider_sect]
+default = default_sect
+##legacy = legacy_sect
+##
+[default_sect]
+activate = 1
+
+##[legacy_sect]
+##activate = 1
 
 [ ssl_module ]
 
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov       2021-09-09 12:09:38.079040853 +0200
+++ openssl-3.0.0/doc/man5/config.pod   2021-09-09 12:11:56.646224876 +0200
@@ -273,6 +273,14 @@ significant.
 All parameters in the section as well as sub-sections are made
 available to the provider.
 
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
 =head3 Default provider and its activation
 
 If no providers are activated explicitly, the default one is activated implicitly.
1	jpp	1.1	diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
2			--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
3			+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
4			@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
5			tsa_policy2 = 1.2.3.4.5.6
6			tsa_policy3 = 1.2.3.4.5.7
7
8			-# For FIPS
9			-# Optionally include a file that is generated by the OpenSSL fipsinstall
10			-# application. This file contains configuration data required by the OpenSSL
11			-# fips provider. It contains a named section e.g. [fips_sect] which is
12			-# referenced from the [provider_sect] below.
13			-# Refer to the OpenSSL security policy for more information.
14			-# .include fipsmodule.cnf
15			-
16			[openssl_init]
17			providers = provider_sect
18			# Load default TLS policy configuration
19			ssl_conf = ssl_module
20
21			-# List of providers to load
22			-[provider_sect]
23			-default = default_sect
24			-# The fips section name should match the section name inside the
25			-# included fipsmodule.cnf.
26			-# fips = fips_sect
27			+# Uncomment the sections that start with ## below to enable the legacy provider.
28			+# Loading the legacy provider enables support for the following algorithms:
29			+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
30			+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
31			+# Key Derivation Function (KDF): PBKDF1
32			+# In general it is not recommended to use the above mentioned algorithms for
33			+# security critical operations, as they are cryptographically weak or vulnerable
34			+# to side-channel attacks and as such have been deprecated.
35
36			-# If no providers are activated explicitly, the default one is activated implicitly.
37			-# See man 7 OSSL_PROVIDER-default for more details.
38			-#
39			-# If you add a section explicitly activating any other provider(s), you most
40			-# probably need to explicitly activate the default provider, otherwise it
41			-# becomes unavailable in openssl. As a consequence applications depending on
42			-# OpenSSL may not work correctly which could lead to significant system
43			-# problems including inability to remotely access the system.
44			-[default_sect]
45			-# activate = 1
46			+[provider_sect]
47			+default = default_sect
48			+##legacy = legacy_sect
49			+##
50			+[default_sect]
51			+activate = 1
52			+
53			+##[legacy_sect]
54			+##activate = 1
55
56			[ ssl_module ]
57
58			diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
59			--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
60			+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
61			@@ -273,6 +273,14 @@ significant.
62			All parameters in the section as well as sub-sections are made
63			available to the provider.
64
65			+=head3 Loading the legacy provider
66			+
67			+Uncomment the sections that start with ## in openssl.cnf
68			+to enable the legacy provider.
69			+Note: In general it is not recommended to use the above mentioned algorithms for
70			+security critical operations, as they are cryptographically weak or vulnerable
71			+to side-channel attacks and as such have been deprecated.
72			+
73			=head3 Default provider and its activation
74
75			If no providers are activated explicitly, the default one is activated implicitly.