Bug ID 1208210
Summary FUTURE crypto-policy: download (zypper) from download.opensuse.org fails due to 2048-bit intermediate CA certificate
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Tumbleweed
Status NEW
Severity Minor
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter walter.haidinger@gmx.at
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

More like a feature request:

download.opensuse.org has a letsencrypt certificate with a 2048-bit in the
intermediate CA chain ("R3" intermediate: https://crt.sh/?caid=183267).

Not necessarily a bug but it hurts FUTURE crypto-policy adoption as FUTURE
requires at least 3072 bits for certificates.

Hence, downloading from download.opensuse.org via curl or zypper fails:
update-crypto-policies --set FUTURE
zypper ref

will show:
Error message: SSL certificate problem: CA certificate key too weak

Yes, letsencrypt shouldn't use 2048-bit intermediates in 2023 but I don't see
that  changing before 2025.

Still, simply setting the FUTURE crypto-policy shouldn't make zypper fail.

Workaround: create a RSA-2048 crypto-policy module:

echo "min_rsa_size = 2048" > /etc/crypto-policies/policies/modules/RSA2048.pmod
update-crypto-policies --set FUTURE:RSA2048

You are receiving this mail because: