Unbound 1.11.0 FIPS mode issue

Paul Wouters paul at nohats.ca
Fri May 7 14:20:31 UTC 2021


On Fri, 7 May 2021, Wouter Wijngaards wrote:

>> Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :)
>
> This is called ./configure --disable-sha1 that disables SHA1 in that
> manner. RSAMD5 is unsupported by default, deprecated in RFC 6725.

Oh. Awesome :)

Thanks!

I guess it would be nice to be able to detect (or tell via
unbound-control) about FIPS mode, and only then disable 1024 RSA and
SHA-1. But I guess a runtime feature is quite different from a compile
time feature.

I wouldn't want to disable sha-1 and 1024 RSA already for everyone in
Fedora and RHEL/CentOS....

Paul


More information about the Unbound-users mailing list