When crypto policy is set to FUTURE warnings about EE certificate key too weak are shown

Solution Verified - Updated -

Issue

When setting crypto policy to FUTURE an error is observed for the certificate being too weak:

# curl -v --cert /etc/pki/entitlement/5287657135911278332.pem --key /etc/pki/entitlement/5287657135911278332-key.pem  https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml -k

*   Trying 23.222.172.83...
* TCP_NODELAY set
* Connected to cdn.redhat.com (23.222.172.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=North Carolina; O=Red Hat, Inc.; OU=Red Hat Network; CN=cdn.redhat.com
*  start date: Apr 24 12:53:26 2019 GMT
*  expire date: Apr 23 12:53:26 2021 GMT
*  issuer: C=US; ST=North Carolina; O=Red Hat, Inc.; OU=Red Hat Network; CN=Red Hat Entitlement Operations Authority; emailAddress=ca-support@redhat.com
*  SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml HTTP/1.1
> Host: cdn.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Type: application/xml
< ETag: "432f7ed176aa4447870fddd3e056651b:1579196131.992764"
< Last-Modified: Thu, 16 Jan 2020 17:33:41 GMT
< Server: AkamaiNetStorage
< Content-Length: 4622
< Date: Fri, 17 Jan 2020 11:28:41 GMT
< X-Cache: TCP_MEM_HIT from a173-223-52-56.deploy.akamaitechnologies.com (AkamaiGHost/9.8.5.1.1-27758809) (-)
< Connection: keep-alive
< EJ-HOST: authorizr-prod-dc-us-west-3-k7nll
< X-Akamai-Request-ID: aa786d1
< 
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
  <revision>1579196021</revision>
  <data type="primary">
    <checksum type="sha256">3b303348e77cd901b9969b1b366c456ea08f6822a32d4358dd6766c52fdaff8b</checksum>
    <open-checksum type="sha256">8583d5f1a9e0651a5eb42ffacead2382176018e2c603b4e3b93e4246b7635c3f</open-checksum>
    <location href="repodata/3b303348e77cd901b9969b1b366c456ea08f6822a32d4358dd6766c52fdaff8b-primary.xml.gz"/>
    <timestamp>1579195962</timestamp>
    <size>3751302</size>
    <open-size>28131917</open-size>
  </data>
  <data type="filelists">
    <checksum type="sha256">2925f8febbf41b816fa42d918be2c16d8f33210d640e55e50c64d963e2a90d7c</checksum>
    <open-checksum type="sha256">9b82ecad59d6337588121dc0f7fccfe98b145efbefd96d5cea32c997c98312a3</open-checksum>
    <location href="repodata/2925f8febbf41b816fa42d918be2c16d8f33210d640e55e50c64d963e2a90d7c-filelists.xml.gz"/>
    <timestamp>1579195958</timestamp>
    <size>9491343</size>
    <open-size>116140854</open-size>
  </data>
  <data type="other">
    <checksum type="sha256">a11f1d4b38be44effc73d5b580e805900820ec3a2e4e67cfa17d52d65e9ed818</checksum>
    <open-checksum type="sha256">65728566dd105e58299c6a42c50bd242d98831d10267f8cf48ed6ed9c7673adf</open-checksum>
    <location href="repodata/a11f1d4b38be44effc73d5b580e805900820ec3a2e4e67cfa17d52d65e9ed818-other.xml.gz"/>
    <timestamp>1579195960</timestamp>
    <size>36312002</size>
    <open-size>161238722</open-size>
  </data>
  <data type="primary_db">
    <checksum type="sha256">0c9317a339d2950214ec0088f56f3a1e72c777fa6caacf47478059bc94a81bbc</checksum>
    <open-checksum type="sha256">1019e34ccb02e88f78b5928fdf5a5ee3c02d9f05cafbf1bc07f0ddfb9f96accb</open-checksum>
    <location href="repodata/0c9317a339d2950214ec0088f56f3a1e72c777fa6caacf47478059bc94a81bbc-primary.sqlite.bz2"/>
    <timestamp>1579196006</timestamp>
    <size>6471299</size>
    <open-size>32912384</open-size>
    <database_version>10</database_version>
  </data>
  <data type="filelists_db">
    <checksum type="sha256">b6afcd795845988071db8f91711e59c065e5d2f16e98a5f00075005f3888ab27</checksum>
    <open-checksum type="sha256">6eec3f1f66f18a4e9b25522a9bf46cb4473cfd7b677775cd39b6ae77684e1e0f</open-checksum>
    <location href="repodata/b6afcd795845988071db8f91711e59c065e5d2f16e98a5f00075005f3888ab27-filelists.sqlite.bz2"/>
    <timestamp>1579196009</timestamp>
    <size>10447920</size>
    <open-size>54325248</open-size>
    <database_version>10</database_version>
  </data>
  <data type="other_db">
    <checksum type="sha256">6f9e41d066d3b8e6a4d180c47b43de88526f059ae877808c30aed6536535feb4</checksum>
    <open-checksum type="sha256">230b46440b3c5453bd337233d40091ec34c1f0dbddbbafb650826393aedd5582</open-checksum>
    <location href="repodata/6f9e41d066d3b8e6a4d180c47b43de88526f059ae877808c30aed6536535feb4-other.sqlite.bz2"/>
    <timestamp>1579196021</timestamp>
    <size>33768796</size>
    <open-size>155353088</open-size>
    <database_version>10</database_version>
  </data>
  <data type="group">
    <checksum type="sha256">aee6016df8ddce215d578834f8746f360c6b63094cfd450256cf0d607369d4bf</checksum>
    <location href="repodata/aee6016df8ddce215d578834f8746f360c6b63094cfd450256cf0d607369d4bf-comps.xml"/>
    <timestamp>1579195988</timestamp>
    <size>483958</size>
  </data>
  <data type="modules">
    <checksum type="sha256">55a3ae74e3c301f3acf5ed5c3f793ae4f72ebc9f939c9dec3f303ee00fe283ac</checksum>
    <open-checksum type="sha256">5633ea59277184a3d5686bba8235e1ea9270a2a59d2587381c73b20d02e9bf01</open-checksum>
    <location href="repodata/55a3ae74e3c301f3acf5ed5c3f793ae4f72ebc9f939c9dec3f303ee00fe283ac-modules.yaml.gz"/>
    <timestamp>1579195987</timestamp>
    <size>132610</size>
    <open-size>927048</open-size>
  </data>
  <data type="productid">
    <checksum type="sha256">bd1d68198db37ca5cf8189d8c5a86b311a80592376da5143e07f89f0a7d65dff</checksum>
    <location href="repodata/6cc49db2-0ac9-4b74-91f7-cf7c3b7c81e5"/>
    <timestamp>1572968952</timestamp>
    <size>2171</size>
  </data>
  <data type="updateinfo">
    <checksum type="sha256">3a40fcb4454762f6c4567ecb967727cc382152a9b8b4117a9d9739f3c4023446</checksum>
    <open-checksum type="sha256">f764ae7d8098a7dbf5280e8cb88d48eef8ca24d34a4c58a8a96c307cd4913255</open-checksum>
    <location href="repodata/3a40fcb4454762f6c4567ecb967727cc382152a9b8b4117a9d9739f3c4023446-updateinfo.xml.gz"/>
    <timestamp>1579195984</timestamp>
    <size>422375</size>
    <open-size>2679589</open-size>
  </data>
</repomd>
* Connection #0 to host cdn.redhat.com left intact

Environment

Red Hat Enterprise Linux 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In