Alma repos are unavailable when crypto policies are FUTURE

[matthewcky2k]

Same issue as here https://access.redhat.com/discussions/4524081
It looks like when the crypto policy is to FUTURE we are unable to connect to the Alma Linux repos with the following error:
Error: Error downloading packages:
Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: EE certificate key too weak]

[jonathanspw]

Looking into how we can best address this.

Even if we fix the mirrorlist itself most mirrors are using LE certs which are signed with a 2048-bit CA.

[SolSoCoG]

Looking into how we can best address this.

Even if we fix the mirrorlist itself most mirrors are using LE certs which are signed with a 2048-bit CA.

You can add a parameter that asks for 4096 key size however or go as far and request a ec-384 ecc key to serve as a second option.

[jonathanspw]

Looking into how we can best address this.
Even if we fix the mirrorlist itself most mirrors are using LE certs which are signed with a 2048-bit CA.

You can add a parameter that asks for 4096 key size however or go as far and request a ec-384 ecc key to serve as a second option.

Yes LE will provide 4096-bit certs but their CA is still only 2048 so the error will remain.

EC may be an option but AWS doesn't play nice with LE EC certs.

[jonathanspw]

There is a temporary fix/cert in place for this so you should not get the errors now. We'll keep this issue open until we decide how we'll solve this permanently.

[matthewcky2k]

Great thanks for looking into and addressing so quickly.

[jonathanspw]

Renewed cert.

[bbaassssiiee]

The FUTURE crypto-policy has this issue with mirrors using LE certs.

A policy that might work with your mirrors is FIPS:

# update-crypto-policies --set FIPS

If Federal Information Processing Standard is not your thing, try the custom policy below.
It works quite well, but ECDHE, needed for the mirror list, has weak elliptic curves.

# https://access.redhat.com/articles/3642912

mac = AEAD HMAC-SHA2-384

group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
    FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192

hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224

# SHA1 signatures needed for DNSSec
sign = EDDSA-ED25519 \
       RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \
       RSA-SHA3-256 RSA-SHA2-256 \
       RSA-SHA3-384 RSA-SHA2-384 \
       RSA-SHA3-512 RSA-SHA2-512 \
       RSA-PSS-SHA2-224 RSA-SHA2-224 \
       ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1

# tls_cipher is deprecated
cipher@TLS = AES-256-GCM AES-256-CCM \
    AES-128-GCM AES-128-CCM

cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 \
    CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM AES-128-CTR

# Yum mirrors need ECDHE (using weak elliptic curves like ecdh-sha2-nistp521)
key_exchange = ECDHE DHE-PSK ECDHE-PSK DHE DHE-RSA PSK DHE-PSK

# protocol is deprecated
protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
# ike_protocol is deprecated
protocol@IKE = IKEv2

min_tls_version = TLS1.2
min_dtls_version = DTLS1.2

# Parameter sizes not ideal, but needed for some repositories
min_dh_size = 2048
min_dsa_size = 2048
min_rsa_size = 2048

# GnuTLS only for now
sha1_in_certs = 0

arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1

[LKHN]

FYI: We upgraded the certificates to Let’s Encrypt's E1 Intermediate on June 23, 2022

The Current TLS full chain is:

mirrors.almalinux.org (ECDSA P-384) -> Let’s Encrypt E1 (ECDSA P-384) -> ISRG Root X2 (ECDSA P-384)

It's tested and working on all crypto policies of AlmaLinux 8 and 9.

[bbaassssiiee]

Those crypto policies depend on weak elliptic curves (NIST). See http://safecurves.cr.yp.to/

[LKHN]

Yes. Because It's strongest and most recent security policy (ELBSecurityPolicy-FS-1-2-Res-2020-10) the AWS Application Load Balancer supports¹ right now.

I have been closely tracking the status of the available security policies. Once new and stronger one available we will upgrade too.

Thanks for the helpful information!

Footnotes

1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies ↩

[bbaassssiiee]

Security note: system-wide crypto policies imply the same key exchange setting is used for TLS and SSH. ECDHE is not needed for SSH, therefore you might want to tune /etc/sysconfig/sshd

[bbaassssiiee]

A mirror service that is accessible with crypto-policy FUTURE.

Locations: https://xtom.com/mirrors/

# almalinux.repo

[baseos]
name=AlmaLinux $releasever - BaseOS
baseurl=https://mirrors.xtom.nl/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream]
name=AlmaLinux $releasever - AppStream
baseurl=https://mirrors.xtom.nl/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras]
name=AlmaLinux $releasever - Extras
baseurl=https://mirrors.xtom.nl/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[bbaassssiiee]

To apply for Let's encrypt ECDSA: https://community.letsencrypt.org/t/ecdsa-availability-in-production-environment/150679