Bug ID | 1208210 |
---|---|
Summary | FUTURE crypto-policy: download (zypper) from download.opensuse.org fails due to 2048-bit intermediate CA certificate |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | x86-64 |
OS | openSUSE Tumbleweed |
Status | NEW |
Severity | Minor |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | walter.haidinger@gmx.at |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
More like a feature request: download.opensuse.org has a letsencrypt certificate with a 2048-bit in the intermediate CA chain ("R3" intermediate: https://crt.sh/?caid=183267). Not necessarily a bug but it hurts FUTURE crypto-policy adoption as FUTURE requires at least 3072 bits for certificates. Hence, downloading from download.opensuse.org via curl or zypper fails: update-crypto-policies --set FUTURE zypper ref will show: Error message: SSL certificate problem: CA certificate key too weak Yes, letsencrypt shouldn't use 2048-bit intermediates in 2023 but I don't see that changing before 2025. Still, simply setting the FUTURE crypto-policy shouldn't make zypper fail. Workaround: create a RSA-2048 crypto-policy module: echo "min_rsa_size = 2048" > /etc/crypto-policies/policies/modules/RSA2048.pmod update-crypto-policies --set FUTURE:RSA2048