On Tue, 2022-08-30 at 23:52 +0300, Vitaly Chikunov wrote:
> > > Also engine could be loaded via openssl.cnf/OPENSSL_CONF, in that case
> > > --engine option is not needed but engine is still there to use/test.
> >
> > Thank you for reminding me that engine support based on the OpenSSL
> > configuration also needs to be deprecated.
>
> I'm curious - how would you deprecate that? As this should be
> transparent to the libcrypto clients - new functionality and algorithms
> just appear.
I'm referring to commit 782224f33cd7 ("ima-evm-utils: Rework openssl
init"), which introduced "--disable-openssl-conf".
>
> > > GOST tests try to handle absence of algorithms (can work w/o --engine
> > > option if configured via openssl config) and skip gracefully.
> > > Perhaps this check should be moved below them just for pkcs11 tests
> > > if they are so sensitive.
> >
> > Does OpenSSL v3 differentiate how engines are configured? I assume
> > when engine support is removed, all of it will be removed.
>
> Perhaps. But providers are configured similarly via config - there
> config examples for some gost-engine Perl tests:
> as engine https://github.com/gost-engine/engine/blob/master/test/engine.cnf
> as provider https://github.com/gost-engine/engine/blob/master/test/provider.cnf
Ok. Thank you for the reference.
Mimi
