[Bug] - EE Certificate key too weak when using FUTURE crypto-policies

[adrianmace]

Describe the bug When using the FUTURE system-wide crypto-policies as provided by man crypto-policies, the TLS certificate for the dnf repositories no longer work.

To Reproduce

[root@ip-10-49-105-72 ~]$ echo 'FUTURE' > /etc/crypto-policies/config
[root@ip-10-49-105-72 ~]$ update-crypto-policies --set
Setting system policy to FUTURE
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
[root@ip-10-49-105-72 ~]$ dnf update
Last metadata expiration check: 0:01:16 ago on Tue Mar 14 05:32:37 2023.
Error encountered while trying to retrieve release update information: Unable to retrieve release info data. Curl error (60): SSL peer certificate or SSH remote key was not OK for https://al2023-repos-ap-southeast-2-de612dc2.s3.dualstack.ap-southeast-2.amazonaws.com/core/releasemd.xml [SSL certificate problem: EE certificate key too weak]
Dependencies resolved.
Nothing to do.
Complete!

Expected behavior I expect to be able to use the FUTURE preset crypto policies as it provides a central way to restrict cryptographic protocols and MACs to known-good options for all supported daemons.

Additional context I do not want to revert back to a default or customised policy for each daemon supported.

[adrianmace]

From man crypto-policies you can find the following info on what is set.

FUTURE
  A conservative security policy that is believed to withstand any near-term future attacks. This policy does not
  allow the use of SHA-1 in signature algorithms. The policy also provides some (not complete) preparation for 
  post-quantum encryption support in form of 256-bit symmetric encryption requirement. The RSA and Diffie-Hellman
  parameters are accepted if larger than 3071 bits. This policy provides at least 128-bit security.
  •   MACs: all HMAC with SHA-256 or better + all modern MACs (Poly1305 etc.)
  •   Curves: all prime >= 255 bits (including Bernstein curves)
  •   Signature algorithms: with SHA-256 hash or better (no DSA)
  •   TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers
  •   non-TLS Ciphers: same as TLS ciphers with added non AE ciphers and Camellia
  •   key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
  •   DH params size: >= 3072
  •   RSA keys size: >= 3072
  •   TLS protocols: TLS >= 1.2, DTLS >= 1.2

[nmeyerhans]

Hi @adrianmace. Thanks for this report. I've confirmed the behavior you're describing and we are looking into it. At first glance it seems like our FUTURE crypto policy is too strict, but it'll take a little longer to get a definitive answer about the correct path forward. We'll follow up here with additional information as it becomes available.

[adrianmace]

@nmeyerhans Thank you for the response. Just looping back to find out how far away you are from a resolution for this?

It is the single remaining blocker for us adopting Amazon Linux 2023.

[paulez]

Hello @adrianmace, thank you for your report. For now we recommend to create a custom policy to suit your needs.

For example, if you want to disable SHA-1 macs, you can do the following:

1. Create a new custom policy from the default one: cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/NO-SHA1-MAC.pol
2. Edit the /etc/crypto-policies/policies/NO-SHA1-MAC.pol file and remove HMAC-SHA1 from the mac section.
3. Generate the system policy from the new custom policy: sudo update-crypto-policies --set NO-SHA1-MAC
4. Reboot to ensure all services are picking-up the policy change.