On Wed, 2021-02-24 at 19:59 -0200, Viktor Dukhovni wrote: > Is there an open pull request for this?
No there isn't yet, but Rich Salz was working on deprecation of this and he is willing to change the PR to do removal instead. > > On Feb 23, 2021, at 8:21 AM, Tomas Mraz <[email protected]> wrote: > > > > topic: The RSA_SSLV23_PADDING and related functions should be > > completely removed from OpenSSL 3.0 code. > > > > comment: The padding mode and the related functions (which are > > already > > deprecated in the current master branch) is useless outside of > > SSLv2 > > support. We do not support SSLv2 and we do not expect anybody using > > OpenSSL 3.0 to try to support SSLv2 by calling those functions. > > I am inclined to vote yes on general grounds, but my concern is > whether > this might then cause some downstream consumers of OpenSSL to fail to > compile (things like Python bindings to OpenSSL, Net::SSLeay, ...) > > It may be prudent to leave some stub functions in place that just > return errors, if they're currently exposed in various tools, and > likely unused, but would still cause some pain to the downstream > API maintainers if entirely removed. > > Are there any such functions exposed by popular toolkits? I did not do any serious research but I know that M2Crypto provides such bindings. So there definitely are cases where the various bindings implementations will have to be adjusted. I do not see that as a reason to block the removal as the bindings really will have to be adjusted for 3.0 for other reasons anyway. We do not promise 100% API compatibility with 1.1.1. Also in case of the M2Crypto bindings they will already fail with 1.1.1 because they tested for the incorrect behavior that was fixed by the recent related CVE fix. Tomas
