Forum Stats

  • 3,816,624 Users
  • 2,259,214 Discussions


FUTURE crypto policy breaks dnf

user10174131 Member Posts: 35 Blue Ribbon
edited May 12, 2022 2:57PM in Oracle Linux

After setting a FUTURE crypto policy and rebooting, dnf fails with the base repository:

# dnf update
Oracle Linux 8 BaseOS Latest (x86_64)      0.0 B/s |  0 B   00:00   
Errors during downloading metadata for repository 'ol8_baseos_latest':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for [SSL certificate problem: CA certificate key too weak]

After dropping down to default...

# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# reboot -f

...dnf is restored:

# dnf update
Oracle Linux 8 BaseOS Latest (x86_64)      11 MB/s | 44 MB   00:04...

Is is feasible for dnf to operate with a FUTURE crypto policy? Will this entail a great deal of work for the repository maintainers?

Edit: The manual page for crypto-policies lists the following for FUTURE:

RSA keys size: >= 3072

(upstream had the same problem, listed in a bugzilla)