No, I wanted just the first message to reach both, because I am subscribed to both lists. Interested people can search archives of the other list. I expected those lists have very likely disjoint members not able to write to both.
Feel free to remove epel-devel from further responses here to avoid receiving errors (and vice versa). On 4/14/22 00:49, Mark Andrews wrote: > If you wanted epel-devel list members to see the discussion you have failed. > > Your message to the epel-devel mailing-list was rejected for the following > reasons: > > The message is not from a list member > > The original message as received by Mailman is attached. > > From: Mark Andrews <ma...@isc.org> > Subject: Re: [dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and > CentOS 9 Stream > Date: 14 April 2022 at 08:44:55 AEST > To: Petr Menšík <pemen...@redhat.com> > Cc: DNS-Operations <dns-operati...@dns-oarc.net>, > epel-devel@lists.fedoraproject.org > > > The only way to detect if the server is running in this mode is to actually > attempt a verification and to see if it fails. That requires precomputed > signatures as you can’t sign using RSASHA1 in FIPS mode but you can verify > RSASHA1 in FIPS mode. I am not sure what is the platform you are describing. RHEL 9 won't be able to verify RSASHA1 signature even in default policy, let alone in FIPS mode. > > In FIPS mode one can check if the server is running in FIPS mode or not by > calling FIPS_mode() or EVP_default_properties_is_fips_enabled() and you can > adjust the list of algorithms supported by libcrypto at runtime before > attempting to validate anything. You don’t end up doing a lot of work just > to have EVP_VerifyFinal() fail because of an unsignalled policy switch. > > Mark Yes, I find it also disturbing that there is no good public API to check SHA-1 availability except attempting a real crypto operation. I hope that will improve later, but I don't know well working candidate API at the moment. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
