certificate verify failed as EE certificate key too weak during https do_handshake call

Question

Our "service" has just switched to Centos 9 from Centos 8, where by default, on Centos 9, it is of python 3.9.21, and openssl of 3.2.1 version.

Once I have the service started and to try some client call, I am seeing such failure in the service log file.

2025-03-03 14:26:41.666 2187 DEBUG faas.utils.wsgi [-] (2187) accepted ('10.160.41.128', 10604) server /var/lib/fas/app/lib64/python3.9/site-packages/eventlet/wsgi.py:1004
2025-03-03 14:26:41.670 2186 DEBUG faas.utils.sslutils [-] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1147) do_handshake /var/lib/fas/app/lib64/python3.9/site-packages/faas/utils/sslutils.py:169
2025-03-03 14:26:41.670 2186 DEBUG faas.utils.wsgi [-] (2186) accepted ('10.160.41.128', 10605) server /var/lib/fas/app/lib64/python3.9/site-packages/eventlet/wsgi.py:1004
2025-03-03 14:26:41.676 2187 DEBUG faas.utils.sslutils [-] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: EE certificate key too weak (_ssl.c:1147) do_handshake /var/lib/fas/app/lib64/python3.9/site-packages/faas/utils/sslutils.py:169

Any ideas how to have such issue resolved ?

BTW, I have already done such setup on Centos 9,

sudo update-crypto-policies --set LEGACY

And here is the output from openssl verson -f command:

openssl version -f 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.2.1-6034311d01fcd074\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"

And the contents of the openssl.config file is:

 more /etc/crypto-policies/back-ends/openssl.config
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

Thanks,

Jack