BLUF: Can someone help me set yum and/or dnf to prefer TLS 1.3 when connecting to https sites?
Situation:
- fresh installation of CentOS Stream 9 (CentOS-Stream-9-20220718.0-x86_64-dvd1.iso)
- on corporate network with a transparent proxy service
- with the repos set default yum and dnf fails to download with the following error:
Error: Failed to download metadata fro repo 'baseos': Cannot prepare internal mirrorlist: Curl error (35): SSL connect error for https://mirrors.centos.org/metalink?repo=centos-baseos-9-stream&arch=x86_64&protocol=https,http [error:0A000152:SSL routines::unsafe legacy renegotiation disabled]
- with other repos that use https connections i am getting the same errors
- once the centos.repo is modified to point to http rather than https the downloads work
- other repos that only support https (i.e. https://download.docker.com) still do not work
- curl https://google.com results in the same error along with any up-to-date https site
- curl --tlsv1.3 https://google.com results with the correct output from the server.
I think I have tracked this problem down to a TLS 1.3 client support, possibly due to our company proxy rejecting the TLS 1.2 cyphers. What I cannot figure out is how to tell yum, dnf, or any other client side command to use TLS 1.3 to negotiate the connection. I have found similar problems with CentOS 7 and 8 but have not found how it is addressed in 9. In 7 and 8 it seems that the openssl is missing the cyphers for TLS 1.3 but on 9 openssl is updated and has 1.3 support.
