Description of problem: Using FUTURE crypto policies dnf update fails, curl reports weak cert key for mirrors.fedoraproject.org Version-Release number of selected component (if applicable): dnf-4.2.18-1.fc31.noarch curl-7.66.0-1.fc31.x86_64 crypto-policies-20191128-2.gitcd267a5.fc31.noarch How reproducible: reproducible all the time on my machine Steps to Reproduce: 1. update-crypto-policies --set FUTURE 2. curl -sS https://mirrors.fedoraproject.org > /dev/null Actual results: Call failed: ``` $ curl -sS https://mirrors.fedoraproject.org > /dev/null curl: (60) SSL certificate problem: CA certificate key too weak More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` Expected results: Call succeeds: ``` $ curl -sS https://mirrors.fedoraproject.org > /dev/null $ `` Additional info: This is currently breaking dnf update as it tries to make the same connection. I can fix it either via using DEFAULT crypto policies or changing @SECLEVEL=3 tp @SECLEVEL=1 in /etc/crypto-policies/back-ends/opensslcnf.config in the FUTURE policy.
It seems flatpak updates are failing too from the url https://dl.flathub.org same as above.
Pretty much all URLs I try are failing using curl, wget, GET when FUTURE policies are configured. $ openssl s_client -connect mirrors.fedoraproject.org:443 -showcerts CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify error:num=67:CA certificate key too weak verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify error:num=67:CA certificate key too weak verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org verify return:1 $ openssl s_client -connect www.google.com:443 -showcerts CONNECTED(00000003) depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=67:CA certificate key too weak verify return:1 depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify error:num=67:CA certificate key too weak verify return:1 depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1 Is this expected behaviour for the FUTURE policies?
Yes, this is expected behaviour. The FUTURE policy requires 3072 bit RSA certificates or ECDSA certificates which are not common yet. We are not going to change the FUTURE policy. Its purpose is for testing for full 128 bit security readiness (2k RSA certs are too small for that) and not general purpose usability.