Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30556

Package bind-dyndb-ldap: remove dependency on package openssl-pkcs11

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • bind-dyndb-ldap-11.10-28.el10
    • None
    • Important
    • 1
    • rhel-idm-ipa
    • ssg_idm
    • 30
    • 31
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q4-Alpha-S4
    • Approved Exception
    • Known Issue
    • Hide
      .DNSSEC not working correctly in RHEL IdM

      The DNS Security Extensions (DNSSEC) do not function correctly in Identity Management (IdM) in RHEL 10.0 because of multiple unresolved issues stemming from the replacement of the `openssl-pkcs11` OpenSSL engine with the `pkcs11-provider` OpenSSL provider.

      The changes introduced by OpenSSL have impacted the integrated DNS functionality within RHEL IdM. Specifically, the changes are affecting multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`, and how these components interact with security modules.
      Show
      .DNSSEC not working correctly in RHEL IdM The DNS Security Extensions (DNSSEC) do not function correctly in Identity Management (IdM) in RHEL 10.0 because of multiple unresolved issues stemming from the replacement of the `openssl-pkcs11` OpenSSL engine with the `pkcs11-provider` OpenSSL provider. The changes introduced by OpenSSL have impacted the integrated DNS functionality within RHEL IdM. Specifically, the changes are affecting multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`, and how these components interact with security modules.
    • Done
    • All
    • None

      Dear colleagues,

      Your component is dependent on the package openssl-pkcs11 which is going to be removed in RHEL-10 beta. The replacing package is pkcs11-provider

      Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.

      We kindly ask you to implement patches or apply compiling options to eliminate the dependency on the openssl-pkcs11 package. We kindly ask you to add this work to the nearest sprint.

      Feel free to reach the Crypto team if you have any problems with the necessary changes.

              twoerner Thomas Woerner
              dbelyavs@redhat.com Dmitry Belyavskiy
              Rafael Jeffman Rafael Jeffman
              Sudhir Menon Sudhir Menon
              Filip Hanzelka Filip Hanzelka
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: