[DNSOP] Re: Questions before adopting must-not-sha1

Mon, 18 Nov 2024 05:29:07 -0800

Yes, I know it does not help now. In fact what blocked me on enabling it in the build were not passing unit tests and other tests after the build. I solved them by using this recipe at Fedora [1]. I will try to enable it in new minor RHEL versions, but already published releases will probably stay the same they are now. With SHA1 disabled at build time. I will try to fix it on following releases, because I now have working way to pass the build, including tests with it. Watch RHEL-8465 ticket for progress [2]. 

Cheers,
Petr

1. https://src.fedoraproject.org/rpms/unbound/pull-request/17
2. https://issues.redhat.com/browse/RHEL-8465

On 17. 11. 24 16:12, Philip Homburg wrote:

I have found there is no need to link to different library. What is
needed is just different *configuration*. I found a very simple method
to share with you:

Use OPENSSL_CONF environment to point to conf file containing:

.include = /etc/ssl/openssl.cnf
[evp_properties]
rh-allow-sha1-signatures = yes

That is all needed to get SHA1 verification in DNSSEC back, without
accepting SHA1 in TLS connections at the same time. Cool, eh?

At the risk of going off-topic, it seems that Red Hat is shipping packages
with unbound is compiled without support for RSASHA1. So this trick is
unlikely help.



--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Attachment: OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to