Hi folks, our security scanner complains about weak ciphers in Rocky 8 (httpd and ssh). security policy is set to "DEFAULT". If I set it to "FUTURE", then httpd is not started anymore (breaking ipa.service) due to some short keys. From the httpd error log:
[Tue Aug 01 07:15:37.847520 2023] [suexec:notice] [pid 13991:tid 140196092746048] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Aug 01 07:15:37.849785 2023] [ssl:emerg] [pid 13991:tid 140196092746048] AH02562: Failed to configure certificate ipaca8.example.com:443:0 (with chain), check /var/lib/ipa/certs/httpd.crt [Tue Aug 01 07:15:37.849826 2023] [ssl:emerg] [pid 13991:tid 140196092746048] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small AH00016: Configuration Failed The httpd key and cert was generated by FreeIPA just a few weeks ago, so I wonder how to proceed in this case? Upgrade to Rocky 9 to get better defaults? Regards Harri _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
