Document the implications of setting engine-based low-level methods

author Tomas Mraz <tomas@openssl.org>

Wed, 27 Dec 2023 18:21:49 +0000 (19:21 +0100)

committer Tomas Mraz <tomas@openssl.org>

Wed, 31 Jan 2024 17:40:30 +0000 (18:40 +0100)
author Tomas Mraz <tomas@openssl.org>
Wed, 27 Dec 2023 18:21:49 +0000 (19:21 +0100)
committer Tomas Mraz <tomas@openssl.org>
Wed, 31 Jan 2024 17:40:30 +0000 (18:40 +0100)
diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod

index fc3acef6d94134c46b1b21cf125ee464373e9d8b..569c00e2fbda5aed70d40acc5cc02a2f1f1a1a6d 100644 (file)
--- a/doc/man7/ossl-guide-migration.pod
+++ b/doc/man7/ossl-guide-migration.pod
@@ -157,6 +157,14 @@ To ensure the future compatibility, the engines should be turned to providers.
  To prefer the provider-based hardware offload, you can specify the default
  properties to prefer your provider.
  
+Setting engine-based or application-based default low-level crypto method such
+as B<RSA_METHOD> or B<EC_KEY_METHOD> is still possible and keys inside the
+default provider will use the engine-based implementation for the crypto
+operations. However B<EVP_PKEY>s created by decoding by using B<OSSL_DECODER>,
+B<PEM_> or B<d2i_> APIs will be provider-based. To create a fully legacy
+B<EVP_PKEY>s L<EVP_PKEY_set1_RSA(3)>, L<EVP_PKEY_set1_EC_KEY(3)> or similar
+functions must be used.
+
  =head3 Versioning Scheme
  
  The OpenSSL versioning scheme has changed with the OpenSSL 3.0 release. The new
author	Tomas Mraz <tomas@openssl.org>
	Wed, 27 Dec 2023 18:21:49 +0000 (19:21 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 31 Jan 2024 17:40:30 +0000 (18:40 +0100)