Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 30, 2022 at 10:34 PM Garry T. Williams <gtwilliams@xxxxxxxxx> wrote:
>
> On Friday, April 29, 2022 5:49:05 PM EDT Ben Cotton wrote:
> > Cryptographic policies will be tightened in Fedora 38-39,
> > SHA-1 signatures will no longer be trusted by default.
> > Fedora 37 specifically doesn't come with any change of defaults,
> > and this Fedora Change is an advance warning filed for extra visibility.
> > Test your setup with FUTURE today and file bugs so you won't get bit
> > by Fedora 38-39.
>
> [snip]
>
> In case you want some feedback,

Thank you for taking time to do that.

> > Install crypto-policies-scripts package and switch to a more restrictive policy
> > with either `update-crypto-policies --set FUTURE`
> > or `update-crypto-policies --set TEST-FEDORA39`.
> >
> > Proceed to use the system as usual,
> > identify the workflows which are broken by this change.
>
> I did that and several days later I did:
>
>     $ sudo dnf upgrade --enablerepo=updates-testing
>     Errors during downloading metadata for repository 'fedora':
>       - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64&countme=3 [SSL certificate problem: CA certificate key too weak]
>       - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate problem: CA certificate key too weak]
>     Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.fedoraproject.org/metalink?repo=fedora-36&arch=x86_64 [SSL certificate problem: CA certificate key too weak]
>
> > Verify that the broken functionality works again
> > if you the policy is relaxed back
> > with, e.g., `update-crypto-policies --set FUTURE:SHA-1`,
>
> This was a problem:
>
>     $ sudo update-crypto-policies --set FUTURE:SHA-1
>     Unknown policy `SHA-1`: file `SHA-1.pmod` not found in (., policies/modules, /etc/crypto-policies/policies/modules, /usr/share/crypto-policies/policies/modules)
>
> That seems like a typo.

Indeed, thanks for spotting. Fixed in two places.

> After looking in
> /usr/share/crypto-policies/policies/modules, I tried again with:
>
>     $ sudo update-crypto-policies --set FUTURE:SHA1
>     Setting system policy to FUTURE:SHA1
>
> But that didn't get me back.  I got the same error doing dnf upgrade.
>
> I had to do:
>
>     $ sudo update-crypto-policies --set DEFAULT
>
> to get back to dnf working again.
>
> > file bug reports against the affected components if not filed already.
>
> I really don't know what "component" to use filing a bug.

Yeah, that seems like a case when
the service administrator is the one to be notified.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux