On Mon, Jul 15, 2019 at 02:58:42PM +0200, Tomas Mraz wrote: > Wouldn't it be better to make the legacy provider opt-out? I.E. require > explicit configuration or explicit API call to not load the legacy > provider.
I'm not even sure why they need to move to a different provider (at this time). Instead I think we should have a mechanism to enable/disable the individual algorithms, and still have everything in the default provider, possibly disabled by default. At some point in the future we could remove the code from OpenSSL, and move it to different repository that only contains such legacy code that we no longer ship as part of OpenSSL. Kurt
