Skip to Main Content

FUTURE crypto policy breaks dnf

user10174131May 11 2022 — edited May 12 2022

After setting a FUTURE crypto policy and rebooting, dnf fails with the base repository:

# dnf update
Oracle Linux 8 BaseOS Latest (x86_64)      0.0 B/s |  0 B   00:00   
Errors during downloading metadata for repository 'ol8_baseos_latest':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for [SSL certificate problem: CA certificate key too weak]

After dropping down to default...

# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# reboot -f

...dnf is restored:

# dnf update
Oracle Linux 8 BaseOS Latest (x86_64)      11 MB/s | 44 MB   00:04...

Is is feasible for dnf to operate with a FUTURE crypto policy? Will this entail a great deal of work for the repository maintainers?
Edit: The manual page for crypto-policies lists the following for FUTURE:
RSA keys size: >= 3072
(upstream had the same problem, listed in a bugzilla)

Post Details
Added on May 11 2022