Disable altogether SHA-1 support

Crypto policy DEFAULT and FIPS would never pass on any name signed by RSASHA1 or under such zone. Make all those signatures insecure regardless on policy. It would make it insecure even in cases where it were not mandatory, but would not fail with SERVFAIL in any crypto-policy setting. Resolves: rhbz#2070495
2022-03-31 15:00:40 +02:00 · 2022-03-31 15:00:40 +02:00 · 00a583016d
parent 7f41dcdd3a
commit 00a583016d
1 changed files with 5 additions and 2 deletions
--- a/unbound.spec
+++ b/unbound.spec
@ -37,7 +37,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.13.1
-Release: 12%{?extra_version:.%{extra_version}}%{?dist}
+Release: 13%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -213,7 +213,7 @@ cp -a %{dir_primary} %{dir_secondary}
            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range --disable-sha1

 pushd %{dir_primary}

@ -463,6 +463,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key

 %changelog
+* Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
+- Disable SHA-1 support (#2070495)
+
 * Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
 - Fixed error in the patch
 - Resolves: rhbz#1977401