-
-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Sha1 runtime unittest #770
base: master
Are you sure you want to change the base?
WIP: Sha1 runtime unittest #770
Conversation
It were possible to enable them only from debugger. Allow setting them from command line also.
CentOS 9 has disabled SHA-1 validation by default. It makes possible passing of unit tests on such system. Make it possible to process also indeterminate result from rrset validation. It would mean that signature is not known bogus, but were not able to be validated at the same time.
RHEL 9 with DEFAULT crypto policy produces 3 errors pushed to the error stack in one failed case. Ensure it does not break following tests, but all of them are read after the call failure.
Currently fails to me
|
It seems many tests should be recreated with non-SHA1 algorithms if that is not required. Many of those tests would be just ignored and not checked on RHEL9-like systems. There is quite a lot of results when using command |
These changes complements PR #660, which added some support into unbound for runtime disabled SHA1 validation. Depending on setting in crypto policy and resulting codes in crypto library, it either considers signature indeterminate. That is roughly equivalent to insecure, but we have some signatures present and no proof about missing DS record.
This fixes unittest to pass on RHEL9, but rpl tests do not yet pass.