[dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream

Mark Andrews marka at isc.org
Wed Apr 13 22:44:55 UTC 2022

The only way to detect if the server is running in this mode is to actually attempt a verification and to see if it fails.  That requires precomputed signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify RSASHA1 in FIPS mode.

In FIPS mode one can check if the server is running in FIPS mode or not by calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can adjust the list of algorithms supported by libcrypto at runtime before attempting to validate anything.  You don’t end up doing a lot of work just to have EVP_VerifyFinal() fail because of an unsignalled policy switch.


Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list