Separating provider folders for major OpenSSL releases
Currently openssl doesn't have any version indicator in the MODULEDIR variable which defines the path to the provider folder.
In future I foresee that many distributions (at least LTS versions) will have to provide several versions of openssl simultaneously. As all of them will support providers, it makes sense to separate the folders for various versions.
Despite providers have a well-defined ABIs, it's not clear whether it would be safe to use non-self-contatined providers built against a particular version of libcrypto against the different version of openssl (e.g. because of atexit()-handler etc). Separating the provider folder per version resolves this potential problem.
https://github.com/openssl/openssl/pull/29759 is the PR purposed to solve this issue
Is it useful to have separate provider folders per major openssl version starting from OpenSSL 4.0?
poll by Dmitry Belyavsky Closing Mon 9 Feb 2026 2:00PM
Choose the option(s) you favor.
Current results
| Current results | Option | % of points | Voters | |||
|---|---|---|---|---|---|---|
|
|
Yes | 100 | 5 |
|
||
| No | 0 | 0 | ||||
| Undecided | 24 |
|
5 of 29 votes cast (17% participation)
Simo Sorce Mon 26 Jan 2026 2:51PM
I have a provider that explicitly compiles against libcrypto, loading a v3 provider in OpenSSL v4 would bring libcrypto v3 in the process, and the provider would assume v3 ABI ... we definitely want to separate and have the provider always compile against the right version to avoid undebuggable issues. Providers that are fully self confined can be symlinked in multiple directories.
Dmitry Belyavsky · Mon 26 Jan 2026 4:50PM
See also this link, looks like it's not that simple even with FIPS providers
https://openssl-communities.org/d/uciOsYGh/separating-provider-folders-for-major-openssl-releases/4