OpenSSL will no longer trust cryptographic signatures using SHA-1 by default, starting from Fedora 41.
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the devel list thread linked above.
The devel discussion indicated that this will break DNSSEC. I'm a bit wary of breaking that by default.
-1
Metadata Update from @ngompa: - Issue tagged with: meeting
Metadata Update from @ngompa: - Issue tagged with: system wide change
This will be discussed in the meeting today at 17:00 UTC.
The devel discussion indicated that this will break DNSSEC. I'm a bit wary of breaking that by default. -1
for completeness it's this message: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/SGVN7MRZDSSOTD4Q445QJN72DLAPOBDI/
Also - there are questions over packaging runcp that the change owner has not answered yet. I might be persuaded to vote +1 conditional on runcp being packaged and it being possible to automatically use the legacy policy for DNS resolvers (or the change owners confirming that there are no additional resolvers in Fedora, since the RHEL ones have been patched per Clemens' reply)
runcp
This was discussed during the meeting: APPROVED: Accept the Change and disallow SHA-1 by default. Mitigations exist for individual applications to re-enable it if absolutely necessary (+7, 0, -1)
Metadata Update from @zbyszek: - Issue untagged with: meeting - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
@ngompa were correct that this will have issues with DNSSEC. But not with bind or unbound components. We had to find a way to make it working well enough. But systemd-resolved did not prepare similar way. Resolution of not only SHA-1 signed names are broken, but basically of all unsupported algorithms behave the same way.
systemd-resolved
Filled https://bugzilla.redhat.com/show_bug.cgi?id=2325406
Log in to comment on this ticket.