Mirrors.rockylinux.org - 2048-bit RSA key insufficient for FUTURE crypto-policy

lquidfire · April 6, 2022, 1:15pm

Hi there,

I played around with setting the system-wide cryptographic policy to FUTURE (link to RedHat).

As a result, I could not update the system via DNF anymore.

I ran a quick check on the mirror’s certificate:

echo | openssl s_client -connect mirrors.rockylinux.org:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key"
                RSA Public-Key: (2048 bit)

According to the FUTURE crypto policy, the minimum strength of an RSA key is 3072-bit.

A native security policy does seem to create a conflict with such basic system maintenance as updating the system.

I suspect that this is a third-party issue, but is this something that could be changed? Not a high priority…

nazunalika · April 6, 2022, 5:39pm

We had a similar question some time ago. It was answered here: CURL certificate error on apstream - #5 by neil

Hope this helps answer why keys are 2048 on the mirrors.

Topic		Replies	Views
503 response from mirrors.rockylinux.org Infrastructure	15	1587	August 25, 2023
CURL certificate error on apstream Rocky Linux General	10	7676	July 5, 2023
Dnf update fails; out-of-date mirror? Rocky Linux General rocky-linux-9	3	414	January 26, 2024
Curl 60 error when updating system Rocky Linux General	19	26667	August 25, 2023
Applying system-wide cryptographic policies results in failure to run updates Rocky Linux General	5	1325	August 25, 2023

Mirrors.rockylinux.org - 2048-bit RSA key insufficient for FUTURE crypto-policy

Related Topics