On Mon, Sep 20, 2021 at 2:19 PM, Eric Biggers wrote: > Aleksander: there still shouldn't be any compiler warnings. In my test script > (scripts/run-tests.sh) I actually use -Werror. If there isn't a good way to > avoid these deprecation warnings (and I'd prefer not to have code that's > conditional on different OpenSSL versions), we can just add > -Wno-deprecated-declarations to the Makefile for now. I think -Wno-deprecated-declarations is the best option for now. I took a few looks around and the community isn't ready for OpenSSL 3.0 just yet with PKCS#11 support. The release happened just 2 weeks ago. Projects like libp11 (https://github.com/OpenSC/libp11), the PKCS#11 engine implementation for OpenSSL, haven't yet caught up to that fact - there's no trace of discussion about migrating to the Providers API anywhere on their mailing lists or issue tracker. The official OpenSSL release does not come with a PKCS#11 provider, and it only acknowledges a potential future existence of such in a single sentence in their design doc (https://www.openssl.org/docs/OpenSSL300Design.html): "For example a PKCS#11 provider may opt out of caching because its algorithms may become available and unavailable over time." Since this is a completely new, redesigned API, I expect it to take some time before alternatives to existing Engine-based implementations arise.
|