After setting a FUTURE crypto policy and rebooting, dnf fails with the base repository:
# dnf update
Oracle Linux 8 BaseOS Latest (x86_64) 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'ol8_baseos_latest':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/repodata/repomd.xml [SSL certificate problem: CA certificate key too weak]
After dropping down to default...
# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# reboot -f
Rebooting.
...dnf is restored:
# dnf update
Oracle Linux 8 BaseOS Latest (x86_64) 11 MB/s | 44 MB 00:04...
Is is feasible for dnf to operate with a FUTURE crypto policy? Will this entail a great deal of work for the repository maintainers?
Edit: The manual page for crypto-policies lists the following for FUTURE:
RSA keys size: >= 3072
(upstream had the same problem, listed in a bugzilla)
https://access.redhat.com/discussions/4524081