CURL certificate error on apstream

Hey @iztokd - Glad you were able to figure this out for your system.

With respect to 2048-bit keys on the mirrors - this will not be changing any time soon. 4096-bit keys are computationally very expensive, and furthermore provide little security gain for something like a TLS web certificate which is already rotated automatically every ~90 days.

On the backend connections, we are either using 4096-bit RSA or ECDSA keys, however these are long-lived connections between our CDN and origin, and therefore the overhead of the TLS authentication and decryption can be mitigated more.

The big thing here is that many people use Rocky on a lot of different systems, from beefy servers to raspberry Pi’s! and we want to make sure nothing is obnoxiously slow for anyone.

You can read some more about this predicament in a great write up from APNIC (and Fastly) from last year! https://blog.apnic.net/2020/09/14/why-bigger-isnt-always-better-when-it-comes-to-tls-key-size/

2 Likes