Unbound 1.11.0 FIPS mode issue

Wouter Wijngaards wouter at nlnetlabs.nl
Fri May 7 14:14:58 UTC 2021


Hi Paul,

On 07/05/2021 16:03, Paul Wouters wrote:
> On Fri, 7 May 2021, Wouter Wijngaards wrote:
> 
>>> This seems the wrong way of doing this. unbound should properly
>>> recognise when an algorithm is not available/configured to be
>>> used, and mark the algorithm properly as unsupported/unknown,
>>> so that existing code paths that already support this, does
>>> the right thing.
>>
>> Yes, I agree, and the commit
>> https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
>>
>> implements it.
>>
>> The ./configure --with-deprecate-rsa-1024 can be used to make unbound
>> ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
>> insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.
> 
> Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :)

This is called ./configure --disable-sha1 that disables SHA1 in that
manner. RSAMD5 is unsupported by default, deprecated in RFC 6725.

Best regards, Wouter


More information about the Unbound-users mailing list