ossl-guide-migration.7 - OpenGrok cross reference for /freebsd/secure/lib/libcrypto/man/man7/ossl-guide-migration.7

Lines Matching +full:3 +full:- +full:4
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OSSL-GUIDE-MIGRATION 7ossl"
58 .TH OSSL-GUIDE-MIGRATION 7ossl 2025-09-30 3.5.4 OpenSSL
64 ossl\-guide\-migration, migration_guide
65 \&\- OpenSSL Guide: Migrating from older OpenSSL versions
80 The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms,
83 .IP "Triple DES ECB" 4
86 .IP "Triple DES CBC" 4
88 .IP EdDSA 4
113 licenses <https://www.openssl.org/source/license-openssl-ssleay.txt>
115 Apache License v2 <https://www.openssl.org/source/apache-license-2.0.txt>.
133 at configuration time using the \f(CW\*(C`enable\-fips\*(C'\fR option. If it is enabled,
142 the application should verify the result of the \fBEVP_EncryptInit\fR\|(3),
143 \&\fBEVP_EncryptInit_ex\fR\|(3), and \fBEVP_DigestInit\fR\|(3) functions. In case when
158 For example, the EVP APIs provide the functions \fBEVP_EncryptInit_ex\fR\|(3),
159 \&\fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_EncryptFinal\fR\|(3) to perform symmetric
160 encryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc.
162 to call AES specific functions such as \fBAES_set_encrypt_key\fR\|(3),
163 \&\fBAES_encrypt\fR\|(3), and so on. The functions for 3DES are different.
182 See \fBOSSL_PROVIDER\-legacy\fR\|(7) for a complete list of algorithms.
194 modifies custom "METHODS" (for example \fBEVP_MD_meth_new\fR\|(3),
195 \&\fBEVP_CIPHER_meth_new\fR\|(3), \fBEVP_PKEY_meth_new\fR\|(3), \fBRSA_meth_new\fR\|(3),
196 \&\fBEC_KEY_METHOD_new\fR\|(3), etc.). These functions are being deprecated in
212 Engine-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation.
213 In this case the \fBEVP_PKEY\fR objects created via \fBENGINE_load_private_key\fR\|(3)
217 To prefer the provider-based hardware offload, you can specify the default
220 Setting engine-based or application-based default low-level crypto method such
222 default provider will use the engine-based implementation for the crypto
224 \&\fBPEM_\fR or \fBd2i_\fR APIs will be provider-based. To create a fully legacy
225 \&\fBEVP_PKEY\fRs \fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_EC_KEY\fR\|(3) or similar
243 For more information, see \fBOpenSSL_version\fR\|(3).
252 See \fBopenssl\-cmp\fR\|(1) and \fBOSSL_CMP_exec_certreq\fR\|(3) as starting points.
258 ASN.1\-encoded contents, proxies, and timeouts.
265 Previously KDF algorithms had been shoe-horned into using the EVP_PKEY object
270 All new applications should use the new \fBEVP_KDF\fR\|(3) interface.
271 See also "Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-default\fR\|(7) and
272 "Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-FIPS\fR\|(7).
281 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
283 All new applications should use the new \fBEVP_MAC\fR\|(3) interface.
284 See also "Message Authentication Code (MAC)" in \fBOSSL_PROVIDER\-default\fR\|(7)
285 and "Message Authentication Code (MAC)" in \fBOSSL_PROVIDER\-FIPS\fR\|(7).
301 \&\f(CW\*(C`enable\-ktls\*(C'\fR configuration option. It must also be enabled at run time using
306 .IP \(bu 4
309 See \fBEVP_KDF\-SS\fR\|(7) and \fBEVP_KDF\-SSHKDF\fR\|(7)
310 .IP \(bu 4
313 See \fBEVP_MAC\-GMAC\fR\|(7) and \fBEVP_MAC\-KMAC\fR\|(7).
314 .IP \(bu 4
317 See \fBEVP_KEM\-RSA\fR\|(7).
318 .IP \(bu 4
319 Cipher Algorithm "AES-SIV"
321 See "SIV Mode" in \fBEVP_EncryptInit\fR\|(3).
322 .IP \(bu 4
326 unwrapping. The algorithms are: "AES\-128\-WRAP\-INV", "AES\-192\-WRAP\-INV",
327 "AES\-256\-WRAP\-INV", "AES\-128\-WRAP\-PAD\-INV", "AES\-192\-WRAP\-PAD\-INV" and
328 "AES\-256\-WRAP\-PAD\-INV".
329 .IP \(bu 4
332 The algorithms are "AES\-128\-CBC\-CTS", "AES\-192\-CBC\-CTS", "AES\-256\-CBC\-CTS",
333 "CAMELLIA\-128\-CBC\-CTS", "CAMELLIA\-192\-CBC\-CTS" and "CAMELLIA\-256\-CBC\-CTS".
338 .IP \(bu 4
339 Added CAdES-BES signature verification support.
340 .IP \(bu 4
341 Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
342 .IP \(bu 4
345 This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax.
348 .IP \(bu 4
349 \&\fBPKCS7_get_octet_string\fR\|(3) and \fBPKCS7_type_is_other\fR\|(3) were made public.
357 with the password-based encryption iteration count. The default digest
358 algorithm for the MAC computation was changed to SHA\-256. The pkcs12
359 application now supports \-legacy option that restores the previous
366 \&\fBPKCS12_add_key_ex\fR\|(3), \fBPKCS12_add_safe_ex\fR\|(3), \fBPKCS12_add_safes_ex\fR\|(3),
367 \&\fBPKCS12_create_ex\fR\|(3), \fBPKCS12_decrypt_skey_ex\fR\|(3), \fBPKCS12_init_ex\fR\|(3),
368 \&\fBPKCS12_item_decrypt_d2i_ex\fR\|(3), \fBPKCS12_item_i2d_encrypt_ex\fR\|(3),
369 \&\fBPKCS12_key_gen_asc_ex\fR\|(3), \fBPKCS12_key_gen_uni_ex\fR\|(3), \fBPKCS12_key_gen_utf8_ex\fR\…
370 \&\fBPKCS12_pack_p7encdata_ex\fR\|(3), \fBPKCS12_pbe_crypt_ex\fR\|(3), \fBPKCS12_PBE_keyivgen_ex\fR…
371 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt_ex\fR\|(3), \fBPKCS5_pbe2_set_iv_ex\fR\|(3),
372 \&\fBPKCS5_pbe_set0_algor_ex\fR\|(3), \fBPKCS5_pbe_set_ex\fR\|(3), \fBPKCS5_pbkdf2_set_ex\fR\|(3),
373 \&\fBPKCS5_v2_PBE_keyivgen_ex\fR\|(3), \fBPKCS5_v2_scrypt_keyivgen_ex\fR\|(3),
374 \&\fBPKCS8_decrypt_ex\fR\|(3), \fBPKCS8_encrypt_ex\fR\|(3), \fBPKCS8_set0_pbe_ex\fR\|(3).
379 \&\fBEVP_PBE_CipherInit_ex\fR\|(3), \fBEVP_PBE_find_ex\fR\|(3) and \fBEVP_PBE_scrypt_ex\fR\|(3).
388 See \fBEVP_KDF\-PKCS12KDF\fR\|(7), \fBPKCS12_create\fR\|(3), \fBopenssl\-pkcs12\fR\|(1),
389 \&\fBOSSL_PROVIDER\-FIPS\fR\|(7).
403 configured with the \f(CW\*(C`enable\-trace\*(C'\fR option.
407 categories. See \fBOSSL_trace_enabled\fR\|(3).
412 \&\fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_param_check\fR\|(3) now work for
414 Previously (in 1.1.1) they would return \-2. For key types that do not have
415 parameters \fBEVP_PKEY_param_check\fR\|(3) will always return 1.
428 The type-safe wrappers are declared everywhere and implemented once.
429 See \fBDEFINE_STACK_OF\fR\|(3) and \fBDEFINE_LHASH_OF_EX\fR\|(3).
434 The new \fBEVP_RAND\fR\|(3) is a partial replacement: the DRBG callback framework is
443 \&\fBEVP_default_properties_is_fips_enabled\fR\|(3) and
444 \&\fBEVP_default_properties_enable_fips\fR\|(3).
449 The Miller-Rabin test now uses 64 rounds, which is used for all prime generation,
452 The default key generation method for the regular 2\-prime RSA keys was changed
453 to the FIPS186\-4 B.3.6 method (Generation of Probable Primes with Conditions
457 Change PBKDF2 to conform to SP800\-132 instead of the older PKCS5 RFC2898
458 .IX Subsection "Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898"
466 \&\fBEVP_KDF\-PBKDF2\fR\|(7). The parameter can be set using \fBEVP_KDF_derive\fR\|(3).
491 In particular, a private scalar \fIk\fR outside the range \fI1 <= k < n\-1\fR is
504 Functions such as \fBEVP_PKEY_get0_RSA\fR\|(3) behave slightly differently in
505 OpenSSL 3.0. Previously they returned a pointer to the low-level key used
509 example using a function or macro such as \fBEVP_PKEY_assign_RSA\fR\|(3),
510 \&\fBEVP_PKEY_set1_RSA\fR\|(3), etc.
518 treated as read-only. To emphasise this the value returned from
519 \&\fBEVP_PKEY_get0_RSA\fR\|(3), \fBEVP_PKEY_get0_DSA\fR\|(3), \fBEVP_PKEY_get0_EC_KEY\fR\|(3) and
520 \&\fBEVP_PKEY_get0_DH\fR\|(3) have been made const. This may break some existing code.
524 The \fBEVP_PKEY_get1_RSA\fR\|(3), \fBEVP_PKEY_get1_DSA\fR\|(3), \fBEVP_PKEY_get1_EC_KEY\fR\|(3)
525 and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non-const pointer to
526 enable them to be "freed". However they should also be treated as read-only.
531 This may mean result in an error in \fBEVP_PKEY_derive_set_peer\fR\|(3) rather than
532 during \fBEVP_PKEY_derive\fR\|(3).
538 The output from numerous "printing" functions such as \fBX509_signature_print\fR\|(3),
539 \&\fBX509_print_ex\fR\|(3), \fBX509_CRL_print_ex\fR\|(3), and other similar functions has been
541 observed in 1.1.1 and 3.0. This also applies to the \fB\-text\fR output from the
552 One significant change is that controls which used to return \-2 for
553 invalid inputs, now return \-1 indicating a generic error condition instead.
559 result in errors. See \fBEVP_PKEY\-DH\fR\|(7) for further details. This affects the
560 behaviour of \fBopenssl\-genpkey\fR\|(1) for DH parameter generation.
567 See "FLAGS" in \fBEVP_EncryptInit\fR\|(3) for more information.
588 ChaCha20\-Poly1305 cipher does not allow a truncated IV length to be used
589 .IX Subsection "ChaCha20-Poly1305 cipher does not allow a truncated IV length to be used"
607 application. If this happens you have 3 options:
608 .IP 1. 4
610 .IP 2. 4
612 .IP 3. 4
622 Password-protected keys may deserve special attention. If only some errors
632 .IP 1. 4
638 .IP 2. 4
667 .IP 3. 4
668 Support for TLSv1.3 has been added.
671 TLS1.3 page <https://github.com/openssl/openssl/wiki/TLS1.3> for further details.
688 See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details.
693 README-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file.
710 If the user creates an \fBOSSL_LIB_CTX\fR via \fBOSSL_LIB_CTX_new\fR\|(3) then many
714 Using a Library Context \- Old functions that should be changed
715 .IX Subsection "Using a Library Context - Old functions that should be changed"
719 \&\fBEVP_MD_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
723 \&\fBEVP_CIPHER_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
726 context such as \fBd2i_X509\fR\|(3), \fBd2i_X509_CRL\fR\|(3), \fBd2i_X509_REQ\fR\|(3) and
727 \&\fBd2i_X509_PUBKEY\fR\|(3). If NULL is passed instead then the created object will be
728 set up with the default library context. Use \fBX509_new_ex\fR\|(3),
729 \&\fBX509_CRL_new_ex\fR\|(3), \fBX509_REQ_new_ex\fR\|(3) and \fBX509_PUBKEY_new_ex\fR\|(3) if a
735 .IP \(bu 4
736 \&\fBASN1_item_new\fR\|(3), \fBASN1_item_d2i\fR\|(3), \fBASN1_item_d2i_fp\fR\|(3),
737 \&\fBASN1_item_d2i_bio\fR\|(3), \fBASN1_item_sign\fR\|(3) and \fBASN1_item_verify\fR\|(3)
738 .IP \(bu 4
739 \&\fBBIO_new\fR\|(3)
740 .IP \(bu 4
742 .IP \(bu 4
743 \&\fBBN_CTX_new\fR\|(3) and \fBBN_CTX_secure_new\fR\|(3)
744 .IP \(bu 4
745 \&\fBCMS_AuthEnvelopedData_create\fR\|(3), \fBCMS_ContentInfo_new\fR\|(3), \fBCMS_data_create\fR\|(…
746 \&\fBCMS_digest_create\fR\|(3), \fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_encrypt\fR\|(3),
747 \&\fBCMS_EnvelopedData_create\fR\|(3), \fBCMS_ReceiptRequest_create0\fR\|(3) and \fBCMS_sign\fR\|(3)
748 .IP \(bu 4
749 \&\fBCONF_modules_load_file\fR\|(3)
750 .IP \(bu 4
751 \&\fBCTLOG_new\fR\|(3), \fBCTLOG_new_from_base64\fR\|(3) and \fBCTLOG_STORE_new\fR\|(3)
752 .IP \(bu 4
753 \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3)
754 .IP \(bu 4
755 \&\fBd2i_AutoPrivateKey\fR\|(3), \fBd2i_PrivateKey\fR\|(3) and \fBd2i_PUBKEY\fR\|(3)
756 .IP \(bu 4
757 \&\fBd2i_PrivateKey_bio\fR\|(3) and \fBd2i_PrivateKey_fp\fR\|(3)
759 Use \fBd2i_PrivateKey_ex_bio\fR\|(3) and \fBd2i_PrivateKey_ex_fp\fR\|(3)
760 .IP \(bu 4
761 \&\fBEC_GROUP_new\fR\|(3)
763 Use \fBEC_GROUP_new_by_curve_name_ex\fR\|(3) or \fBEC_GROUP_new_from_params\fR\|(3).
764 .IP \(bu 4
765 \&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3)
766 .IP \(bu 4
767 \&\fBEVP_PBE_CipherInit\fR\|(3), \fBEVP_PBE_find\fR\|(3) and \fBEVP_PBE_scrypt\fR\|(3)
768 .IP \(bu 4
769 \&\fBPKCS5_PBE_keyivgen\fR\|(3)
770 .IP \(bu 4
771 \&\fBEVP_PKCS82PKEY\fR\|(3)
772 .IP \(bu 4
773 \&\fBEVP_PKEY_CTX_new_id\fR\|(3)
775 Use \fBEVP_PKEY_CTX_new_from_name\fR\|(3)
776 .IP \(bu 4
777 \&\fBEVP_PKEY_derive_set_peer\fR\|(3), \fBEVP_PKEY_new_raw_private_key\fR\|(3)
778 and \fBEVP_PKEY_new_raw_public_key\fR\|(3)
779 .IP \(bu 4
780 \&\fBEVP_SignFinal\fR\|(3) and \fBEVP_VerifyFinal\fR\|(3)
781 .IP \(bu 4
782 \&\fBNCONF_new\fR\|(3)
783 .IP \(bu 4
784 \&\fBOCSP_RESPID_match\fR\|(3) and \fBOCSP_RESPID_set_by_key\fR\|(3)
785 .IP \(bu 4
786 \&\fBOPENSSL_thread_stop\fR\|(3)
787 .IP \(bu 4
788 \&\fBOSSL_STORE_open\fR\|(3)
789 .IP \(bu 4
790 \&\fBPEM_read_bio_Parameters\fR\|(3), \fBPEM_read_bio_PrivateKey\fR\|(3), \fBPEM_read_bio_PUBKEY\fR…
791 \&\fBPEM_read_PrivateKey\fR\|(3) and \fBPEM_read_PUBKEY\fR\|(3)
792 .IP \(bu 4
793 \&\fBPEM_write_bio_PrivateKey\fR\|(3), \fBPEM_write_bio_PUBKEY\fR\|(3), \fBPEM_write_PrivateKey\fR\…
794 and \fBPEM_write_PUBKEY\fR\|(3)
795 .IP \(bu 4
796 \&\fBPEM_X509_INFO_read_bio\fR\|(3) and \fBPEM_X509_INFO_read\fR\|(3)
797 .IP \(bu 4
798 \&\fBPKCS12_add_key\fR\|(3), \fBPKCS12_add_safe\fR\|(3), \fBPKCS12_add_safes\fR\|(3),
799 \&\fBPKCS12_create\fR\|(3), \fBPKCS12_decrypt_skey\fR\|(3), \fBPKCS12_init\fR\|(3), \fBPKCS12_item_…
800 \&\fBPKCS12_item_i2d_encrypt\fR\|(3), \fBPKCS12_key_gen_asc\fR\|(3), \fBPKCS12_key_gen_uni\fR\|(3),
801 \&\fBPKCS12_key_gen_utf8\fR\|(3), \fBPKCS12_pack_p7encdata\fR\|(3), \fBPKCS12_pbe_crypt\fR\|(3),
802 \&\fBPKCS12_PBE_keyivgen\fR\|(3), \fBPKCS12_SAFEBAG_create_pkcs8_encrypt\fR\|(3)
803 .IP \(bu 4
804 \&\fBPKCS5_pbe_set0_algor\fR\|(3), \fBPKCS5_pbe_set\fR\|(3), \fBPKCS5_pbe2_set_iv\fR\|(3),
805 \&\fBPKCS5_pbkdf2_set\fR\|(3) and \fBPKCS5_v2_scrypt_keyivgen\fR\|(3)
806 .IP \(bu 4
807 \&\fBPKCS7_encrypt\fR\|(3), \fBPKCS7_new\fR\|(3) and \fBPKCS7_sign\fR\|(3)
808 .IP \(bu 4
809 \&\fBPKCS8_decrypt\fR\|(3), \fBPKCS8_encrypt\fR\|(3) and \fBPKCS8_set0_pbe\fR\|(3)
810 .IP \(bu 4
811 \&\fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3)
812 .IP \(bu 4
813 \&\fBSMIME_write_ASN1\fR\|(3)
814 .IP \(bu 4
815 \&\fBSSL_load_client_CA_file\fR\|(3)
816 .IP \(bu 4
817 \&\fBSSL_CTX_new\fR\|(3)
818 .IP \(bu 4
819 \&\fBTS_RESP_CTX_new\fR\|(3)
820 .IP \(bu 4
821 \&\fBX509_CRL_new\fR\|(3)
822 .IP \(bu 4
823 \&\fBX509_load_cert_crl_file\fR\|(3) and \fBX509_load_cert_file\fR\|(3)
824 .IP \(bu 4
825 \&\fBX509_LOOKUP_by_subject\fR\|(3) and \fBX509_LOOKUP_ctrl\fR\|(3)
826 .IP \(bu 4
827 \&\fBX509_NAME_hash\fR\|(3)
828 .IP \(bu 4
829 \&\fBX509_new\fR\|(3)
830 .IP \(bu 4
831 \&\fBX509_REQ_new\fR\|(3) and \fBX509_REQ_verify\fR\|(3)
832 .IP \(bu 4
833 \&\fBX509_STORE_CTX_new\fR\|(3), \fBX509_STORE_set_default_paths\fR\|(3), \fBX509_STORE_load_file\f…
834 \&\fBX509_STORE_load_locations\fR\|(3) and \fBX509_STORE_load_store\fR\|(3)
841 .IP \(bu 4
842 \&\fBBIO_new_from_core_bio\fR\|(3)
843 .IP \(bu 4
844 \&\fBEVP_ASYM_CIPHER_fetch\fR\|(3) and \fBEVP_ASYM_CIPHER_do_all_provided\fR\|(3)
845 .IP \(bu 4
846 \&\fBEVP_CIPHER_fetch\fR\|(3) and \fBEVP_CIPHER_do_all_provided\fR\|(3)
847 .IP \(bu 4
848 \&\fBEVP_default_properties_enable_fips\fR\|(3) and
849 \&\fBEVP_default_properties_is_fips_enabled\fR\|(3)
850 .IP \(bu 4
851 \&\fBEVP_KDF_fetch\fR\|(3) and \fBEVP_KDF_do_all_provided\fR\|(3)
852 .IP \(bu 4
853 \&\fBEVP_KEM_fetch\fR\|(3) and \fBEVP_KEM_do_all_provided\fR\|(3)
854 .IP \(bu 4
855 \&\fBEVP_KEYEXCH_fetch\fR\|(3) and \fBEVP_KEYEXCH_do_all_provided\fR\|(3)
856 .IP \(bu 4
857 \&\fBEVP_KEYMGMT_fetch\fR\|(3) and \fBEVP_KEYMGMT_do_all_provided\fR\|(3)
858 .IP \(bu 4
859 \&\fBEVP_MAC_fetch\fR\|(3) and \fBEVP_MAC_do_all_provided\fR\|(3)
860 .IP \(bu 4
861 \&\fBEVP_MD_fetch\fR\|(3) and \fBEVP_MD_do_all_provided\fR\|(3)
862 .IP \(bu 4
863 \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3)
864 .IP \(bu 4
865 \&\fBEVP_PKEY_Q_keygen\fR\|(3)
866 .IP \(bu 4
867 \&\fBEVP_Q_mac\fR\|(3) and \fBEVP_Q_digest\fR\|(3)
868 .IP \(bu 4
869 \&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND_do_all_provided\fR\|(3)
870 .IP \(bu 4
871 \&\fBEVP_set_default_properties\fR\|(3)
872 .IP \(bu 4
873 \&\fBEVP_SIGNATURE_fetch\fR\|(3) and \fBEVP_SIGNATURE_do_all_provided\fR\|(3)
874 .IP \(bu 4
875 \&\fBOSSL_CMP_CTX_new\fR\|(3) and \fBOSSL_CMP_SRV_CTX_new\fR\|(3)
876 .IP \(bu 4
877 \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert\fR\|(3)
878 .IP \(bu 4
879 \&\fBOSSL_CRMF_MSG_create_popo\fR\|(3) and \fBOSSL_CRMF_MSGS_verify_popo\fR\|(3)
880 .IP \(bu 4
881 \&\fBOSSL_CRMF_pbm_new\fR\|(3) and \fBOSSL_CRMF_pbmp_new\fR\|(3)
882 .IP \(bu 4
883 \&\fBOSSL_DECODER_CTX_add_extra\fR\|(3) and \fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)
884 .IP \(bu 4
885 \&\fBOSSL_DECODER_fetch\fR\|(3) and \fBOSSL_DECODER_do_all_provided\fR\|(3)
886 .IP \(bu 4
887 \&\fBOSSL_ENCODER_CTX_add_extra\fR\|(3)
888 .IP \(bu 4
889 \&\fBOSSL_ENCODER_fetch\fR\|(3) and \fBOSSL_ENCODER_do_all_provided\fR\|(3)
890 .IP \(bu 4
891 \&\fBOSSL_LIB_CTX_free\fR\|(3), \fBOSSL_LIB_CTX_load_config\fR\|(3) and \fBOSSL_LIB_CTX_set0_defaul…
892 .IP \(bu 4
893 \&\fBOSSL_PROVIDER_add_builtin\fR\|(3), \fBOSSL_PROVIDER_available\fR\|(3),
894 \&\fBOSSL_PROVIDER_do_all\fR\|(3), \fBOSSL_PROVIDER_load\fR\|(3),
895 \&\fBOSSL_PROVIDER_set_default_search_path\fR\|(3) and \fBOSSL_PROVIDER_try_load\fR\|(3)
896 .IP \(bu 4
897 \&\fBOSSL_SELF_TEST_get_callback\fR\|(3) and \fBOSSL_SELF_TEST_set_callback\fR\|(3)
898 .IP \(bu 4
899 \&\fBOSSL_STORE_attach\fR\|(3)
900 .IP \(bu 4
901 \&\fBOSSL_STORE_LOADER_fetch\fR\|(3) and \fBOSSL_STORE_LOADER_do_all_provided\fR\|(3)
902 .IP \(bu 4
903 \&\fBRAND_get0_primary\fR\|(3), \fBRAND_get0_private\fR\|(3), \fBRAND_get0_public\fR\|(3),
904 \&\fBRAND_set_DRBG_type\fR\|(3) and \fBRAND_set_seed_source_type\fR\|(3)
918 \fIMapping EVP controls and flags to provider \fR\f(BIOSSL_PARAM\fR\fI\|(3) parameters\fR
921 The existing functions for controls (such as \fBEVP_CIPHER_CTX_ctrl\fR\|(3)) and
922 manipulating flags (such as \fBEVP_MD_CTX_set_flags\fR\|(3))internally use
924 See \fBOSSL_PARAM\fR\|(3) for additional information related to parameters.
926 For ciphers see "CONTROLS" in \fBEVP_EncryptInit\fR\|(3), "FLAGS" in \fBEVP_EncryptInit\fR\|(3) and
927 "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
929 For digests see "CONTROLS" in \fBEVP_DigestInit\fR\|(3), "FLAGS" in \fBEVP_DigestInit\fR\|(3) and
930 "PARAMETERS" in \fBEVP_DigestInit\fR\|(3).
940 Providers are a replacement for engines and low-level method overrides
941 .IX Subsection "Providers are a replacement for engines and low-level method overrides"
950 Deprecated i2d and d2i functions for low-level key types
951 .IX Subsection "Deprecated i2d and d2i functions for low-level key types"
953 Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low-level key type
954 have been deprecated. Applications should instead use the \fBOSSL_DECODER\fR\|(3) and
955 \&\fBOSSL_ENCODER\fR\|(3) APIs to read and write files.
956 See "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) for further details.
958 Deprecated low-level key object getters and setters
959 .IX Subsection "Deprecated low-level key object getters and setters"
961 Applications that set or get low-level key objects (such as \fBEVP_PKEY_set1_DH()\fR
963 (See \fBOSSL_ENCODER_to_bio\fR\|(3)) or OSSL_DECODER (See \fBOSSL_DECODER_from_bio\fR\|(3))
964 APIs, or alternatively use \fBEVP_PKEY_fromdata\fR\|(3) or \fBEVP_PKEY_todata\fR\|(3).
966 Deprecated low-level key parameter getters
967 .IX Subsection "Deprecated low-level key parameter getters"
969 Functions that access low-level objects directly such as \fBRSA_get0_n\fR\|(3) are now
971 \&\fBEVP_PKEY_get_bn_param\fR\|(3),
972 \&\fBEVP_PKEY_get_int_param\fR\|(3),
973 \&\fBEVP_PKEY_get_size_t_param\fR\|(3),
974 \&\fBEVP_PKEY_get_utf8_string_param\fR\|(3),
975 \&\fBEVP_PKEY_get_octet_string_param\fR\|(3), or
976 \&\fBEVP_PKEY_get_params\fR\|(3),
979 "Common RSA parameters" in \fBEVP_PKEY\-RSA\fR\|(7),
980 "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7),
981 "DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7),
982 "DH parameters" in \fBEVP_PKEY\-DH\fR\|(7),
983 "FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7),
984 "Common X25519, X448, ED25519 and ED448 parameters" in \fBEVP_PKEY\-X25519\fR\|(7),
985 "Common parameters" in \fBEVP_PKEY\-ML\-DSA\fR\|(7),
987 "Common parameters" in \fBEVP_PKEY\-ML\-KEM\fR\|(7).
988 Applications may also use \fBEVP_PKEY_todata\fR\|(3) to return all fields.
990 Deprecated low-level key parameter setters
991 .IX Subsection "Deprecated low-level key parameter setters"
993 Functions that access low-level objects directly such as \fBRSA_set0_crt_params\fR\|(3)
994 are now deprecated. Applications should use \fBEVP_PKEY_fromdata\fR\|(3) to create
996 created, so if required the user may use \fBEVP_PKEY_todata\fR\|(3), \fBOSSL_PARAM_merge\fR\|(3),
997 and \fBEVP_PKEY_fromdata\fR\|(3) to create a modified key.
998 See "Examples" in \fBEVP_PKEY\-DH\fR\|(7) for more information.
999 See "Deprecated low-level key generation functions" for information on
1002 Deprecated low-level object creation
1003 .IX Subsection "Deprecated low-level object creation"
1005 Low-level objects were created using methods such as \fBRSA_new\fR\|(3),
1006 \&\fBRSA_up_ref\fR\|(3) and \fBRSA_free\fR\|(3). Applications should instead use the
1007 high-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and
1008 \&\fBEVP_PKEY_free\fR\|(3).
1009 See also \fBEVP_PKEY_CTX_new_from_name\fR\|(3) and \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
1012 See also "Deprecated low-level key generation functions",
1013 "Deprecated low-level key reading and writing functions" and
1014 "Deprecated low-level key parameter setters".
1016 Deprecated low-level encryption functions
1017 .IX Subsection "Deprecated low-level encryption functions"
1019 Low-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3)
1021 instead use the high level EVP APIs \fBEVP_EncryptInit_ex\fR\|(3),
1022 \&\fBEVP_EncryptUpdate\fR\|(3), and \fBEVP_EncryptFinal_ex\fR\|(3) or
1023 \&\fBEVP_DecryptInit_ex\fR\|(3), \fBEVP_DecryptUpdate\fR\|(3) and \fBEVP_DecryptFinal_ex\fR\|(3).
1025 Deprecated low-level digest functions
1026 .IX Subsection "Deprecated low-level digest functions"
1028 Use of low-level digest functions such as \fBSHA1_Init\fR\|(3) have been
1030 use the high level EVP APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
1031 and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot \fBEVP_Q_digest\fR\|(3).
1033 Note that the functions \fBSHA1\fR\|(3), \fBSHA224\fR\|(3), \fBSHA256\fR\|(3), \fBSHA384\fR\|(3)
1034 and \fBSHA512\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3).
1036 Deprecated low-level signing functions
1037 .IX Subsection "Deprecated low-level signing functions"
1039 Use of low-level signing functions such as \fBDSA_sign\fR\|(3) have been
1041 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
1042 See also \fBEVP_SIGNATURE\-RSA\fR\|(7), \fBEVP_SIGNATURE\-DSA\fR\|(7),
1043 \&\fBEVP_SIGNATURE\-ECDSA\fR\|(7) and \fBEVP_SIGNATURE\-ED25519\fR\|(7).
1045 Deprecated low-level MAC functions
1046 .IX Subsection "Deprecated low-level MAC functions"
1048 Low-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated.
1049 Applications should instead use the new \fBEVP_MAC\fR\|(3) interface, using
1050 \&\fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3),
1051 \&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot MAC function
1052 \&\fBEVP_Q_mac\fR\|(3).
1053 See \fBEVP_MAC\fR\|(3), \fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7…
1054 \&\fBEVP_MAC\-KMAC\fR\|(7), \fBEVP_MAC\-BLAKE2\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and
1055 \&\fBEVP_MAC\-Siphash\fR\|(7) for additional information.
1057 Note that the one-shot method \fBHMAC()\fR is still available for compatibility purposes,
1060 Deprecated low-level validation functions
1061 .IX Subsection "Deprecated low-level validation functions"
1063 Low-level validation functions such as \fBDH_check\fR\|(3) have been informally
1064 discouraged from use for a long time. Applications should instead use the high-level
1065 EVP_PKEY APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3),
1066 \&\fBEVP_PKEY_param_check_quick\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3),
1067 \&\fBEVP_PKEY_public_check_quick\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3),
1068 and \fBEVP_PKEY_pairwise_check\fR\|(3).
1070 Deprecated low-level key exchange functions
1071 .IX Subsection "Deprecated low-level key exchange functions"
1073 Many low-level functions have been informally discouraged from use for a long
1074 time. Applications should instead use \fBEVP_PKEY_derive\fR\|(3).
1075 See \fBEVP_KEYEXCH\-DH\fR\|(7), \fBEVP_KEYEXCH\-ECDH\fR\|(7) and \fBEVP_KEYEXCH\-X25519\fR\|(7).
1077 Deprecated low-level key generation functions
1078 .IX Subsection "Deprecated low-level key generation functions"
1080 Many low-level functions have been informally discouraged from use for a long
1081 time. Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and
1082 \&\fBEVP_PKEY_generate\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7), \fBEVP_PKEY\-DH\fR\|(7),
1083 \&\fBEVP_PKEY\-RSA\fR\|(7), \fBEVP_PKEY\-EC\fR\|(7) and \fBEVP_PKEY\-X25519\fR\|(7).
1084 The 'quick' one-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most
1085 common cases: <\fBEVP_RSA_gen\fR\|(3)> and \fBEVP_EC_gen\fR\|(3) may also be used.
1087 Deprecated low-level key reading and writing functions
1088 .IX Subsection "Deprecated low-level key reading and writing functions"
1090 Use of low-level objects (such as DSA) has been informally discouraged from use
1091 for a long time. Functions to read and write these low-level objects (such as
1093 \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3).
1095 Deprecated low-level key printing functions
1096 .IX Subsection "Deprecated low-level key printing functions"
1098 Use of low-level objects (such as DSA) has been informally discouraged from use
1099 for a long time. Functions to print these low-level objects such as
1101 Application should use one of \fBEVP_PKEY_print_public\fR\|(3),
1102 \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_params\fR\|(3),
1103 \&\fBEVP_PKEY_print_public_fp\fR\|(3), \fBEVP_PKEY_print_private_fp\fR\|(3) or
1104 \&\fBEVP_PKEY_print_params_fp\fR\|(3). Note that internally these use
1105 \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3).
1111 .IP \(bu 4
1117 Bi-directional IGE mode. These modes were never formally standardised and
1122 .IP \(bu 4
1126 .IP \(bu 4
1129 See "Deprecated low-level encryption functions"
1130 .IP \(bu 4
1134 .IP \(bu 4
1139 .IP \(bu 4
1142 Use \fBASN1_STRING_set\fR\|(3) or \fBASN1_STRING_set0\fR\|(3) instead.
1145 .IP \(bu 4
1149 See "Deprecated low-level encryption functions".
1151 .IP \(bu 4
1155 .IP \(bu 4
1158 Use the respective non-deprecated \fB_ex()\fR functions.
1159 .IP \(bu 4
1162 Use \fBBN_check_prime\fR\|(3) which avoids possible misuse and always uses at least
1163 64 rounds of the Miller-Rabin primality test.
1164 .IP \(bu 4
1167 Use \fBBN_rand\fR\|(3) and \fBBN_rand_range\fR\|(3).
1168 .IP \(bu 4
1171 There are no replacements for these low-level functions. They were used internally
1173 Use \fBEVP_PKEY_keygen\fR\|(3) instead.
1174 .IP \(bu 4
1180 See "Deprecated low-level encryption functions".
1181 .IP \(bu 4
1185 See "Deprecated low-level encryption functions".
1187 .IP \(bu 4
1191 See "Deprecated low-level MAC functions".
1192 .IP \(bu 4
1195 See "Deprecated low-level MAC functions".
1196 .IP \(bu 4
1202 Memory-leak checking has been deprecated in favor of more modern development
1204 .IP \(bu 4
1213 "Gettable and Settable EVP_CIPHER_CTX parameters" in \fBEVP_EncryptInit\fR\|(3).
1214 See "EXAMPLES" in \fBEVP_EncryptInit\fR\|(3) for a AES\-256\-CBC\-CTS example.
1215 .IP \(bu 4
1226 See "Deprecated i2d and d2i functions for low-level key types"
1227 .IP \(bu 4
1230 Use \fBEVP_PKEY_set1_encoded_public_key\fR\|(3).
1231 See "Deprecated low-level key parameter setters"
1232 .IP \(bu 4
1243 See "Deprecated low-level encryption functions".
1244 Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
1245 "DES\-CFB1" and "DES\-CFB8" have been moved to the Legacy Provider.
1246 .IP \(bu 4
1249 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1250 \&\fBEVP_PKEY_get_size\fR\|(3).
1251 .IP \(bu 4
1255 See "Deprecated low-level validation functions"
1256 .IP \(bu 4
1263 .IP \(bu 4
1266 See "Deprecated low-level key exchange functions".
1267 .IP \(bu 4
1270 See "Deprecated low-level object creation"
1271 .IP \(bu 4
1274 See "Deprecated low-level key generation functions".
1275 .IP \(bu 4
1279 See "Deprecated low-level key parameter getters"
1280 .IP \(bu 4
1284 "DH parameters" in \fBEVP_PKEY\-DH\fR\|(7)) to one of "dh_1024_160", "dh_2048_224" or
1286 .IP \(bu 4
1289 Applications should use \fBEVP_PKEY_CTX_set_dh_kdf_type\fR\|(3) instead.
1290 .IP \(bu 4
1295 See "Providers are a replacement for engines and low-level method overrides"
1296 .IP \(bu 4
1299 See "Deprecated low-level key printing functions"
1300 .IP \(bu 4
1303 See "Deprecated low-level key parameter setters"
1304 .IP \(bu 4
1307 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1308 \&\fBEVP_PKEY_get_size\fR\|(3).
1309 .IP \(bu 4
1312 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1313 and \fBEVP_PKEY_dup\fR\|(3) instead.
1314 .IP \(bu 4
1317 See "Deprecated low-level key generation functions".
1318 .IP \(bu 4
1323 See "Providers are a replacement for engines and low-level method overrides".
1324 .IP \(bu 4
1328 See "Deprecated low-level key parameter getters".
1329 .IP \(bu 4
1332 See "Deprecated low-level object creation"
1333 .IP \(bu 4
1336 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1337 and \fBEVP_PKEY_dup\fR\|(3) instead.
1338 .IP \(bu 4
1341 See "Deprecated low-level key printing functions"
1342 .IP \(bu 4
1345 See "Deprecated low-level key parameter setters"
1346 .IP \(bu 4
1350 .IP \(bu 4
1353 See "Deprecated low-level signing functions".
1354 .IP \(bu 4
1357 See "Deprecated low-level key exchange functions".
1358 .IP \(bu 4
1362 \&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \fBOSSL_PARAM\fR\|(3) using the
1363 "kdf-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7)
1364 .IP \(bu 4
1368 See "Deprecated low-level signing functions".
1369 .IP \(bu 4
1372 Applications should use \fBEVP_PKEY_get_size\fR\|(3).
1373 .IP \(bu 4
1381 .IP \(bu 4
1384 Use \fBEC_GROUP_free\fR\|(3) instead.
1385 .IP \(bu 4
1389 Applications should use \fBEC_GROUP_get_curve\fR\|(3) and \fBEC_GROUP_set_curve\fR\|(3).
1390 .IP \(bu 4
1396 .IP \(bu 4
1399 EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
1402 .IP \(bu 4
1405 Applications should use \fBEVP_PKEY_can_sign\fR\|(3) instead.
1406 .IP \(bu 4
1409 See "Deprecated low-level validation functions"
1410 .IP \(bu 4
1413 See "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7) which handles flags as separate
1418 See also "EXAMPLES" in \fBEVP_PKEY\-EC\fR\|(7)
1419 .IP \(bu 4
1422 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
1423 and \fBEVP_PKEY_dup\fR\|(3) instead.
1424 .IP \(bu 4
1428 .IP \(bu 4
1431 See "Deprecated low-level key generation functions".
1432 .IP \(bu 4
1436 See "Deprecated low-level key parameter getters".
1437 .IP \(bu 4
1443 See "Providers are a replacement for engines and low-level method overrides"
1444 .IP \(bu 4
1447 Use \fBEC_GROUP_get_field_type\fR\|(3) instead.
1448 See "Providers are a replacement for engines and low-level method overrides"
1449 .IP \(bu 4
1454 .IP \(bu 4
1457 See "Deprecated low-level object creation"
1458 .IP \(bu 4
1461 See "Deprecated low-level key printing functions"
1462 .IP \(bu 4
1465 See "Deprecated low-level key parameter setters".
1466 .IP \(bu 4
1470 See "Deprecated low-level key parameter setters".
1471 .IP \(bu 4
1475 See "Deprecated low-level key printing functions"
1476 .IP \(bu 4
1480 formats are not individual big-endian integers.
1481 .IP \(bu 4
1485 Applications should use \fBEC_POINT_get_affine_coordinates\fR\|(3) and
1486 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) instead.
1487 .IP \(bu 4
1491 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) and \fBEC_POINT_get_affine_coordinates\fR\|(3)
1493 .IP \(bu 4
1498 .IP \(bu 4
1501 Applications should use \fBEC_POINT_set_compressed_coordinates\fR\|(3) instead.
1502 .IP \(bu 4
1506 \&\fBEC_POINT_mul\fR\|(3) function.
1507 .IP \(bu 4
1511 See "Providers are a replacement for engines and low-level method overrides".
1512 .IP \(bu 4
1517 .IP \(bu 4
1520 The new functions are \fBERR_peek_error_func\fR\|(3), \fBERR_peek_last_error_func\fR\|(3),
1521 \&\fBERR_peek_error_data\fR\|(3), \fBERR_peek_last_error_data\fR\|(3), \fBERR_get_error_all\fR\|(3),
1522 \&\fBERR_peek_error_all\fR\|(3) and \fBERR_peek_last_error_all\fR\|(3).
1523 Applications should use \fBERR_get_error_all\fR\|(3), or pick information
1525 \&\fBERR_get_error\fR\|(3).
1526 .IP \(bu 4
1529 Applications should instead use \fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3),
1530 \&\fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3) and \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3)
1532 See \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3) for further information.
1533 .IP \(bu 4
1537 See "Providers are a replacement for engines and low-level method overrides".
1538 .IP \(bu 4
1546 .IP \(bu 4
1549 See the "kdf-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and
1550 "ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7).
1552 .IP \(bu 4
1555 Applications should use \fBEVP_PKEY_CTX_set1_rsa_keygen_pubexp\fR\|(3) instead.
1556 .IP \(bu 4
1559 Applications should use \fBEVP_PKEY_eq\fR\|(3) and \fBEVP_PKEY_parameters_eq\fR\|(3) instead.
1560 See \fBEVP_PKEY_copy_parameters\fR\|(3) for further details.
1561 .IP \(bu 4
1564 Applications should use \fBEVP_PKEY_encrypt_init\fR\|(3) and \fBEVP_PKEY_encrypt\fR\|(3) or
1565 \&\fBEVP_PKEY_decrypt_init\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) instead.
1566 .IP \(bu 4
1570 .IP \(bu 4
1576 .IP \(bu 4
1579 See "Providers are a replacement for engines and low-level method overrides".
1580 .IP \(bu 4
1583 See "Deprecated low-level MAC functions".
1584 .IP \(bu 4
1588 See "Deprecated low-level key object getters and setters"
1589 .IP \(bu 4
1594 generic functions \fBEVP_PKEY_set1_encoded_public_key\fR\|(3) and
1595 \&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
1598 .IP \(bu 4
1601 See "Providers are a replacement for engines and low-level method overrides".
1602 .IP \(bu 4
1607 .IP \(bu 4
1610 See "Deprecated low-level MAC functions".
1611 .IP \(bu 4
1615 See "Deprecated low-level MAC functions".
1616 .IP \(bu 4
1619 See "Deprecated low-level key reading and writing functions"
1620 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1621 .IP \(bu 4
1626 See "Deprecated low-level key reading and writing functions"
1627 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1628 .IP \(bu 4
1633 See "Deprecated low-level key reading and writing functions"
1634 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1635 .IP \(bu 4
1638 Use \fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
1639 See "Deprecated low-level key parameter getters"
1640 .IP \(bu 4
1645 See "Deprecated low-level key reading and writing functions"
1646 and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
1647 .IP \(bu 4
1652 See "Deprecated low-level encryption functions".
1654 .IP \(bu 4
1658 .IP \(bu 4
1661 See "Deprecated low-level encryption functions".
1663 .IP \(bu 4
1667 .IP \(bu 4
1670 See "Deprecated low-level encryption functions".
1672 .IP \(bu 4
1675 See "Deprecated low-level encryption functions".
1677 .IP \(bu 4
1680 See "Deprecated low-level encryption functions".
1681 .IP \(bu 4
1686 .IP \(bu 4
1689 Use \fBOSSL_HTTP_parse_url\fR\|(3) instead.
1690 .IP \(bu 4
1696 with \fBOSSL_HTTP_REQ_CTX_*()\fR. See \fBOSSL_HTTP_REQ_CTX\fR\|(3) for additional
1698 .IP \(bu 4
1703 .IP \(bu 4
1716 provider implementations, see \fBprovider\-storemgmt\fR\|(7).
1717 .IP \(bu 4
1735 See "Deprecated low-level key reading and writing functions"
1736 .IP \(bu 4
1739 See "Deprecated low-level encryption functions".
1740 .IP \(bu 4
1744 Applications should instead use \fBRAND_set_DRBG_type\fR\|(3),
1745 \&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND\fR\|(7).
1746 See \fBRAND_set_rand_method\fR\|(3) for more details.
1747 .IP \(bu 4
1754 See "Deprecated low-level encryption functions".
1756 .IP \(bu 4
1760 See "Deprecated low-level digest functions".
1762 .IP \(bu 4
1765 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
1766 \&\fBEVP_PKEY_get_size\fR\|(3).
1767 .IP \(bu 4
1770 See "Deprecated low-level validation functions"
1771 .IP \(bu 4
1780 .IP \(bu 4
1783 See "Deprecated low-level key generation functions".
1784 .IP \(bu 4
1787 See "Providers are a replacement for engines and low-level method overrides"
1788 .IP \(bu 4
1795 See "Deprecated low-level key parameter getters"
1796 .IP \(bu 4
1799 See "Deprecated low-level object creation".
1800 .IP \(bu 4
1803 See "Providers are a replacement for engines and low-level method overrides".
1804 .IP \(bu 4
1808 .IP \(bu 4
1811 See "Providers are a replacement for engines and low-level method overrides".
1812 .IP \(bu 4
1815 See "Deprecated low-level signing functions" and
1816 "Deprecated low-level encryption functions".
1817 .IP \(bu 4
1820 See "Deprecated low-level key printing functions"
1821 .IP \(bu 4
1824 See "Deprecated low-level encryption functions"
1825 .IP \(bu 4
1829 mode of none). See "Deprecated low-level signing functions".
1830 .IP \(bu 4
1833 There is no direct replacement. Applications may use \fBEVP_PKEY_dup\fR\|(3).
1834 .IP \(bu 4
1837 See "Deprecated low-level key reading and writing functions"
1838 .IP \(bu 4
1842 See "Deprecated low-level key parameter setters".
1843 .IP \(bu 4
1846 See "Providers are a replacement for engines and low-level method overrides"
1847 .IP \(bu 4
1852 See "Deprecated low-level signing functions".
1853 .IP \(bu 4
1857 X931 padding can be set using "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7).
1859 .IP \(bu 4
1863 See "Deprecated low-level encryption functions".
1865 .IP \(bu 4
1872 See "Deprecated low-level digest functions".
1873 .IP \(bu 4
1882 .IP \(bu 4
1886 These are used to set the Diffie-Hellman (DH) parameters that are to be used by
1888 the built-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3)
1889 or \fBSSL_set_dh_auto\fR\|(3). If custom parameters are necessary then applications can
1890 use the alternative functions \fBSSL_CTX_set0_tmp_dh_pkey\fR\|(3) and
1891 \&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the "callback"
1893 parameters for export and non-export ciphersuites. Export ciphersuites are no
1896 .IP \(bu 4
1899 Use the new \fBSSL_CTX_set_tlsext_ticket_key_evp_cb\fR\|(3) function instead.
1900 .IP \(bu 4
1904 See "Deprecated low-level digest functions".
1906 .IP \(bu 4
1909 This was an undocumented function. Applications can use \fBX509_get0_pubkey\fR\|(3)
1910 and \fBX509_get0_signature\fR\|(3) instead.
1911 .IP \(bu 4
1914 Use \fBX509_load_http\fR\|(3) and \fBX509_CRL_load_http\fR\|(3) instead.
1920 .IP \(bu 4
1925 such EVP_PKEY by calling \fBOBJ_nid2sn\fR\|(3). With the introduction
1927 \&\fBEVP_PKEY_get_id\fR\|(3) might now also return the value \-1
1930 \&\fBEVP_PKEY_get0_type_name\fR\|(3) is recommended for retrieving
1934 See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details.
1940 \&\fBopenssl kdf\fR uses the new \fBEVP_KDF\fR\|(3) API.
1941 \&\fBopenssl kdf\fR uses the new \fBEVP_MAC\fR\|(3) API.
1946 \&\fB\-provider_path\fR and \fB\-provider\fR are available to all apps and can be used
1949 specified if required. The \fB\-provider_path\fR must be specified before the
1950 \&\fB\-provider\fR option.
1952 The \fBlist\fR app has many new options. See \fBopenssl\-list\fR\|(1) for more
1955 \&\fB\-crl_lastupdate\fR and \fB\-crl_nextupdate\fR used by \fBopenssl ca\fR allows
1963 The \fB\-crypt\fR option used by \fBopenssl passwd\fR.
1964 The \fB\-c\fR option used by \fBopenssl x509\fR, \fBopenssl dhparam\fR,
1982 \&\fBopenssl speed\fR no longer uses low-level API calls.
2005 .IP \(bu 4
2009 .IP \(bu 4
2010 Support for fully "pluggable" TLSv1.3 groups.
2015 .IP \(bu 4
2025 See \fBSSL_CTX_get_options\fR\|(3), \fBSSL_CTX_set_options\fR\|(3),
2026 \&\fBSSL_get_options\fR\|(3) and \fBSSL_set_options\fR\|(3).
2027 .IP \(bu 4
2031 .IP \(bu 4
2037 (e.g.: data received by \fBSSL_read\fR\|(3)).
2038 .IP \(bu 4
2039 Client-initiated renegotiation is disabled by default.
2041 To allow it, use the \fB\-client_renegotiation\fR option,
2044 .IP \(bu 4
2052 .IP \(bu 4
2053 Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
2056 connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
2058 implementations even where there are no built-in ones. Attempting to create
2059 TLS connections in such a build without also disabling TLSv1.3 at run time or
2060 using third party provider groups may result in handshake failures. TLSv1.3
2061 can be disabled at compile time using the "no\-tls1_3" Configure option.
2062 .IP \(bu 4
2066 .IP \(bu 4
2077 .IP \(bu 4
2083 .IP \(bu 4
2086 This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
2089 with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). This also means
2095 .IP \(bu 4
2099 string with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). If the
2100 leaf certificate is signed with SHA\-1, a call to \fBSSL_CTX_use_certificate\fR\|(3)
2102 Outside TLS/SSL, the default security level is \-1 (effectively 0). It can
2103 be set using \fBX509_VERIFY_PARAM_set_auth_level\fR\|(3) or using the \fB\-auth_level\fR
2113 Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.