No, I wanted just the first message to reach both, because I am subscribed to both lists. Interested people can search archives of the other list. I expected those lists have very likely disjoint members not able to write to both.
Feel free to remove epel-devel from further responses here to avoid receiving errors (and vice versa). On 4/14/22 00:49, Mark Andrews wrote: > If you wanted epel-devel list members to see the discussion you have failed. > > Your message to the epel-devel mailing-list was rejected for the following > reasons: > > The message is not from a list member > > The original message as received by Mailman is attached. > > From: Mark Andrews <[email protected]> > Subject: Re: [dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and > CentOS 9 Stream > Date: 14 April 2022 at 08:44:55 AEST > To: Petr Menšík <[email protected]> > Cc: DNS-Operations <[email protected]>, > [email protected] > > > The only way to detect if the server is running in this mode is to actually > attempt a verification and to see if it fails. That requires precomputed > signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify > RSASHA1 in FIPS mode. I am not sure what is the platform you are describing. RHEL 9 won't be able to verify RSASHA1 signature even in default policy, let alone in FIPS mode. > > In FIPS mode one can check if the server is running in FIPS mode or not by > calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can > adjust the list of algorithms supported by libcrypto at runtime before > attempting to validate anything. You don’t end up doing a lot of work just > to have EVP_VerifyFinal() fail because of an unsignalled policy switch. > > Mark Yes, I find it also disturbing that there is no good public API to check SHA-1 availability except attempting a real crypto operation. I hope that will improve later, but I don't know well working candidate API at the moment. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: [email protected] PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
