OpenSSL Communities
Mon 2 Jun 2025 1:50PM

API Deprecation Announcement for OpenSSL4.0

JJ Jeff Johnson Public Seen by 61

I wasn't at ICMC this year, but I have heard that previously deprecated API's were being removed (especially the enigine support) and this change would be in OpenSSL4.0 next spring? Is this accurate? If so, is there a formal announcement or blog post or ?? Hoping to avoid a train wreck if you know what I mean :). If I missed the announce or blog I apologize but I didn't find an official "gone in OpenSSL 4.0" type of announcement. Thanks.

DB

Dmitry Belyavsky Tue 3 Jun 2025 10:14AM

I strongly support an idea having this announcement.

I think we can deprecate ENGINE API as a whole: OpenSSL has intentionally deprecated it, and various forks have dropped it

JE

Jon Ericson Wed 4 Jun 2025 3:35PM

From discussions earlier this year between the Foundation and Corporation, I believe we are all on the same page about Engine support and 4.0 would be an ideal time to remove that API. As far as I know, the GOST engine would be the only causality and there is time to convert it to a provider if there is interest.

Announcing the change as early as possible is a great idea. I'll raise it internally.

JJ

Jeff Johnson Thu 5 Jun 2025 2:33PM

Thanks Jon! I think that's great and appreciate it very much. If other deprecated API's are being removed (not just engines) could we mention that as well? Thanks for your consideration and help.

TM

Tomas Mraz Thu 5 Jun 2025 3:31PM

As for possibilities for removals - basically anything that is deprecated in 3.5 can be removed in 4.0. However we do NOT have to remove everything. Here are some possible subsets:

  • only ENGINE API (except for the ENGINE opaque type) - this does not bring much in terms of simplification of the code base. However we can at least not care about any breakage of engines in 4.0

  • above + all EVP_PKEY_METH related stuff - this fairly simplifies EVP_PKEY handling code

  • above + all EVP*_METH related stuff - simplification also for EVP_CIPHER and EVP_MD handling

  • above + EVP_PKEY_ASN1 method stuff - this would require an exception as we are going to deprecate it in 3.6 so technically we would be breaking our policy if we would remove it 4.0, however this would get rid of almost all legacy handling in EVP

  • above + RSA/EC/DSA/DH low level types and related functions - probably too radical for 4.0 although it would further simplify things

  • symmetric low level types and functions - this is again probably too radical for 4.0 and would not bring much benefit apart from cleaning up our public API. Maybe we could remove just some particularly nasty and insecure crypto functions such as single DES low-level support or similar.

We would like to know opinions of the communities on the above.

DB

Dmitry Belyavsky Fri 6 Jun 2025 9:44AM

I would say it makes sense to check what API has already been removed from OpenSSL forks. I'm pretty sure the 1st 4 points from Tomas's list are a subject to removal.