openssl/openssl

Please design default-less build of libcrypto

Open

#28,778 opened on 2025年10月8日

GitHub で見る
 (2 comments) (0 reactions) (0 assignees)C (11,262 forks)batch import
help wantedtriaged: feature

Repository metrics

Stars
 (30,157 stars)
PR merge metrics
 (30d に merged PR はありません)

説明

When there is no intent to use default provider, presence of default provider is harmful. Harmful because libcrypto size is significant, and it can be accidently used as a fallback.

This is true when using OpenSSL originated providers, as well as foreign.

Examples:

  • openssl base + openssl FIPS provider
  • just symcrypt provider
  • just wolfcrypt provider
  • openssl base + (distro / consultancy) FIPS provider

In all of these cases it would help if default provider was default.so, or ability to build libcrypto without default provider at all.

A concrete example of such implementation is Ubuntu FIPS builds that remove loading default provider by default.

コントリビューターガイド