[dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream

Mark Andrews marka at isc.org
Wed Apr 13 22:49:34 UTC 2022


If you wanted epel-devel list members to see the discussion you have failed.

Your message to the epel-devel mailing-list was rejected for the following
reasons:

The message is not from a list member

The original message as received by Mailman is attached.

From: Mark Andrews <marka at isc.org>
Subject: Re: [dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream
Date: 14 April 2022 at 08:44:55 AEST
To: Petr Menšík <pemensik at redhat.com>
Cc: DNS-Operations <dns-operations at dns-oarc.net>, epel-devel at lists.fedoraproject.org


The only way to detect if the server is running in this mode is to actually attempt a verification and to see if it fails.  That requires precomputed signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify RSASHA1 in FIPS mode.

In FIPS mode one can check if the server is running in FIPS mode or not by calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can adjust the list of algorithms supported by libcrypto at runtime before attempting to validate anything.  You don’t end up doing a lot of work just to have EVP_VerifyFinal() fail because of an unsignalled policy switch.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list