Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-33729

Please stop using OpenSSL ENGINE API in bind

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • bind-9.18.33-5.el10
    • None
    • Important
    • 1
    • rhel-net-perf
    • ssg_core_services
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • _N&P-Refined_
    • Rejected Exception
    • Enhancement
    • Hide
      .The `named` and `dnssec` utilities now support OpenSSL providers for hardware tokens

      Before this update, support for using hardware security tokens to store private keys for DNSSEC zone signing was unavailable after the removal of OpenSSL ENGINEs. This functionality was required both for directly using hardware tokens with the `named` service and for the DNSSEC feature in the `ipa-server-dns` package.

      With this update, the `named` and `dnssec` command-line utilities have been updated to support OpenSSL providers.

      As a result, you can use OpenSSL providers to access both hardware and software tokens to store private keys. This restores the ability to use hardware tokens directly in the `named` service and enables the DNSSEC zone signing feature in the `ipa-server-dns` package.
      Show
      .The `named` and `dnssec` utilities now support OpenSSL providers for hardware tokens Before this update, support for using hardware security tokens to store private keys for DNSSEC zone signing was unavailable after the removal of OpenSSL ENGINEs. This functionality was required both for directly using hardware tokens with the `named` service and for the DNSSEC feature in the `ipa-server-dns` package. With this update, the `named` and `dnssec` command-line utilities have been updated to support OpenSSL providers. As a result, you can use OpenSSL providers to access both hardware and software tokens to store private keys. This restores the ability to use hardware tokens directly in the `named` service and enables the DNSSEC zone signing feature in the `ipa-server-dns` package.
    • In Progress
    • All
    • None

      Dear colleagues,

      Our scanning identified your component as one of the packages using OpenSSL ENGINE API.

      Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is either covered by providers maintained by Crypto Team now or will be covered soon.

      We kindly ask you to implement patches or apply compiling options to eliminate the code relying on ENGINE API. Even if we don’t eliminate the ENGINE API completely for backward binary compatibility, the compilation of applications using the ENGINE API will soon become impossible.

      We kindly ask you to add this work to the nearest sprint. We have a side-tag f41-build-side-86419 to build and a Copr build https://copr.fedorainfracloud.org/coprs/dbelyavs/openssl-no-engine/build/7107098/

      Feel free to reach the Crypto team, Dmitry Belyavskiy, Sahana Prasad, or Clemens Lang directly if you have any problems with the necessary changes.

              pemensik@redhat.com Petr Mensik
              autobot-jira-api pme bot
              Petr Mensik Petr Mensik
              Petr Sklenar Petr Sklenar
              Filip Hanzelka Filip Hanzelka
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: