The only way to detect if the server is running in this mode is to actually attempt a verification and to see if it fails. That requires precomputed signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify RSASHA1 in FIPS mode.
In FIPS mode one can check if the server is running in FIPS mode or not by calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can adjust the list of algorithms supported by libcrypto at runtime before attempting to validate anything. You don’t end up doing a lot of work just to have EVP_VerifyFinal() fail because of an unsignalled policy switch. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
