Fedora hardens system-wide cryptopolicies. Current FUTURE policy in Fedora 37 requires RSA keys longer than 3071 bits (see crypto-policies(7) manual) which is not met by this "C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA" certificate used when accessing a mirror manager at https://mirrors.fedoraproject.org/:
-----BEGIN CERTIFICATE----- MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2 4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1 itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn 4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly /D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF 0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae cPUeybQ= -----END CERTIFICATE-----
A key of the certificate has only 2048 bits.
A reproducer:
# update-crypto-policies --set FUTURE Setting system policy to FUTURE Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. $ openssl s_client -connect mirrors.fedoraproject.org:https -verify_return_error CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify error:num=67:CA certificate key too weak 40ACE295AA7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1883: --- Certificate chain 0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.fedoraproject.org i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Jan 27 00:00:00 2022 GMT; NotAfter: Feb 27 23:59:59 2023 GMT 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 22 12:00:00 2013 GMT; NotAfter: Oct 22 12:00:00 2028 GMT --- no peer certificate available --- No client certificate CA names sent Server Temp Key: X25519, 253 bits --- SSL handshake has read 3427 bytes and written 276 bytes Verification error: CA certificate key too weak --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 67 (CA certificate key too weak) ---
Reported on Fedora devel list https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/EUEBKBX54REDX2CQLESKHTJBISWUJEKK/.
Once Fedora promotes F37 FUTURE policy into DEFAULT one, this issue will hit each Fedora user when updating his system. Please work with your certificate authority to enroll stronger certificates with at least 3072-bit RSA key. Alternatively, replace your certificate issuer.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation
As of a couple of months ago, there isn't a stronger intermediate certificate from the provider. We are unable to change providers because this is the one that Red Hat pays for the certificates for us to have. This is going to be a UNABLE TO FIX ANYTIME SOON.
A year ago Digicert increased a minimal key length for singing a code including the complete certificate chain to 3072-bits https://knowledge.digicert.com/alerts/code-signing-new-minimum-rsa-keysize.html. I hope that Digicert will follow the same path with CAs for TLS servers. Current *.fedoraproject.org certificate expires on 2023-02-27.
I'm sorry, it was a false alarm. The proposed change https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 will keep RSA key limit to 2048 bits for DEFAULT policy in F37, as well as in F39 https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NQM6VR24ZV4LPOWJDGOYK74MPDQX3LVF/. I'm closing this request based on it.
Metadata Update from @ppisar: - Issue close_status updated to: Invalid - Issue status updated to: Closed (was: Open)
A cross reference: https://bugzilla.redhat.com/show_bug.cgi?id=1832292.
Log in to comment on this ticket.