Richard W.M. Jones <rjones(a)redhat.com> wrote:
I somehow thought that loading the legacy provider would be the same
as the LEGACY crypto policy, except just for Python 2.7 rather than
for the entire system.
It’s a common misconception. So common that I recently wrote a blog post to
explain the difference:
https://www.redhat.com/en/blog/legacy-cryptography-fedora-36-and-red-hat-...
Setting the whole system crypto-policy to LEGACY (and reverting the
code for loading the legacy provider) fixes almost everything.
Thanks for testing and confirming that. In that case, it’s really just a
case of running the test with a separate OpenSSL configuration file that
applies weaker defaults.
HTH,
Clemens
--
Clemens Lang
RHEL Crypto Team
Red Hat