On Sun, 17 Nov 2024, Philip Homburg wrote:
[indeed a bit offtopic]
Use OPENSSL_CONF environment to point to conf file containing:
.include = /etc/ssl/openssl.cnf
[evp_properties]
rh-allow-sha1-signatures = yes
That is all needed to get SHA1 verification in DNSSEC back, without
accepting SHA1 in TLS connections at the same time. Cool, eh?
At the risk of going off-topic, it seems that Red Hat is shipping packages
with unbound is compiled without support for RSASHA1. So this trick is
unlikely help.
Correct, it is now compiled using --disable-sha1. I think it would be
better to enable this again, assuming unbound now has proper code to
detect if sha1 is failing or not during runtime. Then the
crypto-policies can be used to enable this again. If this was a
dedicated container/host, it could simply use:
update-crypto-policies --set LEGACY
It seems "sha1_in_dnssec" has been obsoleted. I do not know what this
was done, I think it was a perfectly fine method to create a crypto
policy submodule only enabling sha1 for DNSSEC.
Paul
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
