|
 |
2871ff |
diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf
|
|
|
2871ff |
--- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov 2021-08-16 14:02:48.029645419 +0200
|
|
|
2871ff |
+++ openssl-3.0.0-beta2/apps/openssl.cnf 2021-08-16 14:14:48.006409467 +0200
|
|
|
2871ff |
@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1
|
|
|
2871ff |
tsa_policy2 = 1.2.3.4.5.6
|
|
|
2871ff |
tsa_policy3 = 1.2.3.4.5.7
|
|
|
2871ff |
|
|
|
2871ff |
-# For FIPS
|
|
|
2871ff |
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
|
|
2871ff |
-# application. This file contains configuration data required by the OpenSSL
|
|
|
2871ff |
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
|
|
2871ff |
-# referenced from the [provider_sect] below.
|
|
|
2871ff |
-# Refer to the OpenSSL security policy for more information.
|
|
|
2871ff |
-# .include fipsmodule.cnf
|
|
|
2871ff |
-
|
|
|
2871ff |
[openssl_init]
|
|
|
2871ff |
providers = provider_sect
|
|
|
2871ff |
# Load default TLS policy configuration
|
|
|
2871ff |
ssl_conf = ssl_module
|
|
|
2871ff |
|
|
|
2871ff |
-# List of providers to load
|
|
|
2871ff |
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
|
|
2871ff |
+# Loading the legacy provider enables support for the following algorithms:
|
|
|
2871ff |
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
|
|
2871ff |
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
|
|
2871ff |
+# Key Derivation Function (KDF): PBKDF1
|
|
|
2871ff |
+# In general it is not recommended to use the above mentioned algorithms for
|
|
|
2871ff |
+# security critical operations, as they are cryptographically weak or vulnerable
|
|
|
2871ff |
+# to side-channel attacks and as such have been deprecated.
|
|
|
2871ff |
+
|
|
|
2871ff |
[provider_sect]
|
|
|
2871ff |
-default = default_sect
|
|
|
2871ff |
-# The fips section name should match the section name inside the
|
|
|
2871ff |
-# included fipsmodule.cnf.
|
|
|
2871ff |
-# fips = fips_sect
|
|
|
2871ff |
-
|
|
|
2871ff |
-[default_sect]
|
|
|
2871ff |
-# activate = 1
|
|
|
2871ff |
+##default = default_sect
|
|
|
2871ff |
+##legacy = legacy_sect
|
|
|
2871ff |
+##
|
|
|
2871ff |
+##[default_sect]
|
|
|
2871ff |
+##activate = 1
|
|
|
2871ff |
+##
|
|
|
2871ff |
+##[legacy_sect]
|
|
|
2871ff |
+##activate = 1
|
|
|
2871ff |
|
|
|
2871ff |
[ ssl_module ]
|
|
|
2871ff |
|
|
|
2871ff |
diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod
|
|
|
2871ff |
--- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov 2021-08-16 14:12:35.021606001 +0200
|
|
|
2871ff |
+++ openssl-3.0.0-beta2/doc/man5/config.pod 2021-08-16 14:14:47.077396867 +0200
|
|
|
2871ff |
@@ -269,6 +269,14 @@ significant.
|
|
|
2871ff |
All parameters in the section as well as sub-sections are made
|
|
|
2871ff |
available to the provider.
|
|
|
2871ff |
|
|
|
2871ff |
+=head3 Loading the legacy provider
|
|
|
2871ff |
+
|
|
|
2871ff |
+Uncomment the sections that start with ## in openssl.cnf
|
|
|
2871ff |
+to enable the legacy provider.
|
|
|
2871ff |
+Note: In general it is not recommended to use the above mentioned algorithms for
|
|
|
2871ff |
+security critical operations, as they are cryptographically weak or vulnerable
|
|
|
2871ff |
+to side-channel attacks and as such have been deprecated.
|
|
|
2871ff |
+
|
|
|
2871ff |
=head2 EVP Configuration
|
|
|
2871ff |
|
|
|
2871ff |
The name B<alg_section> in the initialization section names the section
|