If you wanted epel-devel list members to see the discussion you have failed.
Your message to the epel-devel mailing-list was rejected for the following reasons: The message is not from a list member The original message as received by Mailman is attached. From: Mark Andrews <[email protected]> Subject: Re: [dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream Date: 14 April 2022 at 08:44:55 AEST To: Petr Menšík <[email protected]> Cc: DNS-Operations <[email protected]>, [email protected] The only way to detect if the server is running in this mode is to actually attempt a verification and to see if it fails. That requires precomputed signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify RSASHA1 in FIPS mode. In FIPS mode one can check if the server is running in FIPS mode or not by calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can adjust the list of algorithms supported by libcrypto at runtime before attempting to validate anything. You don’t end up doing a lot of work just to have EVP_VerifyFinal() fail because of an unsignalled policy switch. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
