diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf

--- openssl-3.0.0/apps/openssl.cnf.legacy-prov	2021-09-09 12:06:40.895793297 +0200

+++ openssl-3.0.0/apps/openssl.cnf	2021-09-09 12:12:33.947482500 +0200

@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1

 tsa_policy2 = 1.2.3.4.5.6

 tsa_policy3 = 1.2.3.4.5.7

-# For FIPS

-# Optionally include a file that is generated by the OpenSSL fipsinstall

-# application. This file contains configuration data required by the OpenSSL

-# fips provider. It contains a named section e.g. [fips_sect] which is

-# referenced from the [provider_sect] below.

-# Refer to the OpenSSL security policy for more information.

-# .include fipsmodule.cnf

-

 [openssl_init]

 providers = provider_sect

 # Load default TLS policy configuration

 ssl_conf = ssl_module

-# List of providers to load

-[provider_sect]

-default = default_sect

-# The fips section name should match the section name inside the

-# included fipsmodule.cnf.

-# fips = fips_sect

+# Uncomment the sections that start with ## below to enable the legacy provider.

+# Loading the legacy provider enables support for the following algorithms:

+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED

+# Key Derivation Function (KDF): PBKDF1

+# In general it is not recommended to use the above mentioned algorithms for

+# security critical operations, as they are cryptographically weak or vulnerable

+# to side-channel attacks and as such have been deprecated.

-# If no providers are activated explicitly, the default one is activated implicitly.

-# See man 7 OSSL_PROVIDER-default for more details.

-#

-# If you add a section explicitly activating any other provider(s), you most

-# probably need to explicitly activate the default provider, otherwise it

-# becomes unavailable in openssl.  As a consequence applications depending on

-# OpenSSL may not work correctly which could lead to significant system

-# problems including inability to remotely access the system.

-[default_sect]

-# activate = 1

+[provider_sect]

+default = default_sect

+##legacy = legacy_sect

+##

+[default_sect]

+activate = 1

+

+##[legacy_sect]

+##activate = 1

 [ ssl_module ]

diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod

--- openssl-3.0.0/doc/man5/config.pod.legacy-prov	2021-09-09 12:09:38.079040853 +0200

+++ openssl-3.0.0/doc/man5/config.pod	2021-09-09 12:11:56.646224876 +0200

@@ -273,6 +273,14 @@ significant.

 All parameters in the section as well as sub-sections are made

 available to the provider.

+=head3 Loading the legacy provider

+

+Uncomment the sections that start with ## in openssl.cnf

+to enable the legacy provider.

+Note: In general it is not recommended to use the above mentioned algorithms for

+security critical operations, as they are cryptographically weak or vulnerable

+to side-channel attacks and as such have been deprecated.

+

 =head3 Default provider and its activation

 If no providers are activated explicitly, the default one is activated implicitly.