Unbound 1.11.0 FIPS mode issue
Paul Wouters
paul at nohats.ca
Fri May 7 14:03:32 UTC 2021
On Fri, 7 May 2021, Wouter Wijngaards wrote:
>> This seems the wrong way of doing this. unbound should properly
>> recognise when an algorithm is not available/configured to be
>> used, and mark the algorithm properly as unsupported/unknown,
>> so that existing code paths that already support this, does
>> the right thing.
>
> Yes, I agree, and the commit
> https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
> implements it.
>
> The ./configure --with-deprecate-rsa-1024 can be used to make unbound
> ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
> insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.
Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :)
Paul
More information about the Unbound-users
mailing list