Unbound 1.11.0 FIPS mode issue

Unbound
1

Hi There,

While trying to verify DANE compliance for a domain, we are facing RSA signature verification issue in FIPS mode for 1024 key sizes.

As per our understanding we could see in Non FIPS mode, (openssl) rsa_sign.c RSA_verify functions is taking care of signature verification and its passing.

In FIPS mode we see that unbound doesn’t call RSA_verify, could you help us understand if there is any other was verification takes place.

Below is the unbound query response for ietf.org.

Answer in Non FIPS mode:

<dns_reply rcode=0 q: an:[(‘MX’, ‘ietf.org’, 0, ‘SECURE’, 3963714400605L, (0, ‘mail.ietf.org’))] ns: ar:>

<dns_reply rcode=0 q: an:[(‘A’, ‘mail.ietf.org’, 0, ‘SECURE’, 3963714400605L, ‘4.31.198.44’)] ns: ar:>

<dns_reply rcode=0 q: an: ns: ar:>

<dns_reply rcode=0 q: an:[(‘TLSA’, ‘_25._tcp.mail.ietf.org’, 0, ‘SECURE’, 3969483822987L, ‘0301010c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6’)] ns: ar:>

Answer in FIPS mode:

<dns_reply rcode=0 q: an:[(‘MX’, ‘ietf.org’, 0, ‘BOGUS’, 4274224824212L, (0, ‘mail.ietf.org’))]

<dns_reply rcode=0 q: an:[(‘A’, ‘mail.ietf.org’, 0, ‘BOGUS’, 4274224824212L, ‘4.31.198.44’)] ns: ar:>

We appreciate any inputs on how we can verify 1024 key sizes signature verification in FIPS mode.

Thanks,

rafiq

(attachments)

image003.gif
image002.jpg

2

Afaik you can't. 1024 bit keys are not permitted by FIPS.

3

* Tuomo Soini via Unbound-users:

4

Hi All,

Can anyone share information on function that does signature verification in unbound library (version 1.11.0).

Is there any way to bypass FIPS mode setting and allow signature verification for 1024 key sizes as well in FIPS mode in unbound. Or can we use any openssl flag to disable FIPS mode for unbound. Appreciate any inputs on this.

Thanks,

rafiq

(attachments)

image003.gif
image002.jpg
image002.jpg

5

Hi All,

We are trying to enable verbosity in unbound, so far we have tried below flags at the time of build.

–verbose

–with-syslog-facility

./configure --verbose --with-syslog-facility=LOCAL0

Could not find where the additional logs are saved. Also kindly help us where we can configure the path for LOCAL0 through 7.

Our goal is to add debug logs to identify code snippet where signature verification takes place, to check the feasibility of bypassing FIPS mode check and verify 1024 key sizes.

Appreciate any inputs on the above queries.

Thanks,

rafiq

(attachments)

image003.gif
image002.jpg
image002.jpg

6 
            We are trying to enable verbosity in unbound, so far we have tried below flags at the time of build\.

Why not set verbosity: in the unbound.conf configuration file ?

Our goal is to add debug logs to identify code snippet where signature verification takes place, to check the feasibility of bypassing FIPS mode check and verify 1024 key sizes.

This seems the wrong way of doing this. unbound should properly
recognise when an algorithm is not available/configured to be
used, and mark the algorithm properly as unsupported/unknown,
so that existing code paths that already support this, does
the right thing.

Paul

7

Hi Paul, Mohammad,

            We are trying to enable verbosity in unbound, so far

we have tried below flags at the time of build.

Why not set verbosity: in the unbound.conf configuration file ?

Our goal is to add debug logs to identify code snippet where signature
verification takes place, to check the feasibility of bypassing FIPS
mode check and verify 1024 key sizes.

This seems the wrong way of doing this. unbound should properly
recognise when an algorithm is not available/configured to be
used, and mark the algorithm properly as unsupported/unknown,
so that existing code paths that already support this, does
the right thing.

Yes, I agree, and the commit
https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
implements it.

The ./configure --with-deprecate-rsa-1024 can be used to make unbound
ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.

Best regards, Wouter

8

9

Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :slight_smile:

Paul

10

Hi Paul,

11

Oh. Awesome :slight_smile:

Thanks!

I guess it would be nice to be able to detect (or tell via
unbound-control) about FIPS mode, and only then disable 1024 RSA and
SHA-1. But I guess a runtime feature is quite different from a compile
time feature.

I wouldn't want to disable sha-1 and 1024 RSA already for everyone in
Fedora and RHEL/CentOS....

Paul