| 1 |
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf |
| 2 |
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 |
| 3 |
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 |
| 4 |
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 |
| 5 |
tsa_policy2 = 1.2.3.4.5.6 |
| 6 |
tsa_policy3 = 1.2.3.4.5.7 |
| 7 |
|
| 8 |
-# For FIPS |
| 9 |
-# Optionally include a file that is generated by the OpenSSL fipsinstall |
| 10 |
-# application. This file contains configuration data required by the OpenSSL |
| 11 |
-# fips provider. It contains a named section e.g. [fips_sect] which is |
| 12 |
-# referenced from the [provider_sect] below. |
| 13 |
-# Refer to the OpenSSL security policy for more information. |
| 14 |
-# .include fipsmodule.cnf |
| 15 |
- |
| 16 |
[openssl_init] |
| 17 |
providers = provider_sect |
| 18 |
# Load default TLS policy configuration |
| 19 |
ssl_conf = ssl_module |
| 20 |
|
| 21 |
-# List of providers to load |
| 22 |
-[provider_sect] |
| 23 |
-default = default_sect |
| 24 |
-# The fips section name should match the section name inside the |
| 25 |
-# included fipsmodule.cnf. |
| 26 |
-# fips = fips_sect |
| 27 |
+# Uncomment the sections that start with ## below to enable the legacy provider. |
| 28 |
+# Loading the legacy provider enables support for the following algorithms: |
| 29 |
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 |
| 30 |
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED |
| 31 |
+# Key Derivation Function (KDF): PBKDF1 |
| 32 |
+# In general it is not recommended to use the above mentioned algorithms for |
| 33 |
+# security critical operations, as they are cryptographically weak or vulnerable |
| 34 |
+# to side-channel attacks and as such have been deprecated. |
| 35 |
|
| 36 |
-# If no providers are activated explicitly, the default one is activated implicitly. |
| 37 |
-# See man 7 OSSL_PROVIDER-default for more details. |
| 38 |
-# |
| 39 |
-# If you add a section explicitly activating any other provider(s), you most |
| 40 |
-# probably need to explicitly activate the default provider, otherwise it |
| 41 |
-# becomes unavailable in openssl. As a consequence applications depending on |
| 42 |
-# OpenSSL may not work correctly which could lead to significant system |
| 43 |
-# problems including inability to remotely access the system. |
| 44 |
-[default_sect] |
| 45 |
-# activate = 1 |
| 46 |
+[provider_sect] |
| 47 |
+default = default_sect |
| 48 |
+##legacy = legacy_sect |
| 49 |
+## |
| 50 |
+[default_sect] |
| 51 |
+activate = 1 |
| 52 |
+ |
| 53 |
+##[legacy_sect] |
| 54 |
+##activate = 1 |
| 55 |
|
| 56 |
[ ssl_module ] |
| 57 |
|
| 58 |
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod |
| 59 |
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 |
| 60 |
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 |
| 61 |
@@ -273,6 +273,14 @@ significant. |
| 62 |
All parameters in the section as well as sub-sections are made |
| 63 |
available to the provider. |
| 64 |
|
| 65 |
+=head3 Loading the legacy provider |
| 66 |
+ |
| 67 |
+Uncomment the sections that start with ## in openssl.cnf |
| 68 |
+to enable the legacy provider. |
| 69 |
+Note: In general it is not recommended to use the above mentioned algorithms for |
| 70 |
+security critical operations, as they are cryptographically weak or vulnerable |
| 71 |
+to side-channel attacks and as such have been deprecated. |
| 72 |
+ |
| 73 |
=head3 Default provider and its activation |
| 74 |
|
| 75 |
If no providers are activated explicitly, the default one is activated implicitly. |
Parent Directory
| 
Revision Log
| 
Revision Graph
