Description of problem:

At the moment if you want to (eg) ssh to a particular host that
uses legacy crypto, or upgrade RPM packages which use SHA1 signatures,
or connect to an old HTTPS server with Firefox, then the easiest
way to describe this to a customer is to use the big hammer:

1. update-crypto-policies --set LEGACY

This of course downgrades security for the whole system.

The alternative is to use service-specific voodoo. eg. the
right way to do this for ssh to a host happens to be:

.ssh/config —
Host old-host
KexAlgorithms diffie-hellman-group1-sha1

(Actually I'm not sure that is true, I have read differing advice
on this. Even if this works now, will it continue to work in future?)

This bug is a request that somehow we make this easier.

Version-Release number of selected component (if applicable):

crypto-policies-20220223-1.git5203b41.el9.noarch