No, I wanted just the first message to reach both, because I am
subscribed to both lists. Interested people can search archives of the
other list. I expected those lists have very likely disjoint members not
able to write to both.
Feel free to remove epel-devel from further responses here to avoid
receiving errors (and vice versa).
On 4/14/22 00:49, Mark Andrews wrote:
If you wanted epel-devel list members to see the discussion you have
failed.
Your message to the epel-devel mailing-list was rejected for the following
reasons:
The message is not from a list member
The original message as received by Mailman is attached.
From: Mark Andrews <marka(a)isc.org>
Subject: Re: [dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9
Stream
Date: 14 April 2022 at 08:44:55 AEST
To: Petr Menšík <pemensik(a)redhat.com>
Cc: DNS-Operations <dns-operations(a)dns-oarc.net>,
epel-devel(a)lists.fedoraproject.org
The only way to detect if the server is running in this mode is to actually attempt a
verification and to see if it fails. That requires precomputed signatures as you can’t
sign using RSASHA1 in FIPS mode but you can verify RSASHA1 in FIPS mode.
I am not
sure what is the platform you are describing. RHEL 9 won't be
able to verify RSASHA1 signature even in default policy, let alone in
FIPS mode.
In FIPS mode one can check if the server is running in FIPS mode or not by calling
FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can adjust the list of
algorithms supported by libcrypto at runtime before attempting to validate anything. You
don’t end up doing a lot of work just to have EVP_VerifyFinal() fail because of an
unsignalled policy switch.
Mark
Yes, I find it also disturbing that there is no good public API to check
SHA-1 availability except attempting a real crypto operation. I hope
that will improve later, but I don't know well working candidate API at
the moment.
--
Petr Menšík
Software Engineer
Red Hat,
http://www.redhat.com/
email: pemensik(a)redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB