OpenSSL mission vs legacy systems

As I state in the original post I do understand that we can’t pull the plug tomorrow but I’m looking for the strategy to support the mission.

I gather from this discussion that: yes we do care and have the legacy provider that supports some segregation and compile time configs that supports another type of segregation.

Now what I am missing is perhaps an overview over what and how to understand which decisions have been made and which have not been made. This relates very much to Jon’s comment about transition plans and education.

Would it be worthwhile to have some sort of documentation about this? I can prepare something which could serve as a starting point.

A policy that spells out under what conditions algorithms will move from the default / fips providers to the legacy provider would probably be a good step forward in this regard.

I agree that we should move forward with raising the floor, but I'd advocate for doing this through configuration (and then updating the default config) over hardcoding something. Doing this via configuration

• allows tightening these settings without updating to a newer OpenSSL version, e.g., in response to new research on cryptographic algorithms

• provides a path for users that just need to interact with some legacy hardware that doesn't support anything newer, and therefore a path out of "OpenSSL is just broken, guess I won't update"

• matches what OpenSSL does for the TLS stack, where this is configurable, e.g. using the `ciphers` and `cipersuites` settings and `SECLEVEL`

• allows distributions to ship with the settings that work for them depending on their release cycle (e.g., Fedora with a release every 6 months probably wants a different default config from RHEL, which doesn't want to break compatibility and needs to live with a config for 10 years)

I did make an initial attempt quite a while ago in https://github.com/openssl/openssl/pull/19084, but it seems we couldn't agree whether this should go into provides or core, and I didn't have the time to keep pushing on this. Maybe we should re-visit this, and also expand the scope (hello scope creep!) a bit to not only cover digests used in signatures?

So how about those atomics for some reason?

https://github.com/openssl/technical-policies/pull/118

For anyone who is interested: I’ve prepared a policy for dealing with removal. I don’t know if I was able to cover all the bits from this discussion so please feel free to leave a review.

A belated comment on Viktor's observation that security improves by "raising the ceiling, rather than the floor" based on a situation I ran into last week, in some cases the floor is made of poured concrete and will never be raised. EAP-PEAP/TLS/TTLS uses as it's de facto standard shared-secret auth MSCHAPv2, which needs MD4 and (single) DES, and it's not going away... probably ever. And this isn't on ancient legacy systems, it's on stuff shipping right now running on the latest hardware and software (kinda odd seeing an ML-KEM-initiated tunnel being used to carry MD4 hashes). So you need to at least have the ability to re-enable some of this cruft even if it's, well, cruft.