Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-103800

Rebase NSS for Firefox in RHEL 8.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • rhel-8.10.z
    • rhel-8.10.z
    • nss
    • No
    • Critical
    • 1
    • rhel-security-crypto
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
    • Hide
      • xyber cannot be negotiated
      • GREASE [/CoreOS/nss/Sanity/GREASE]: should not be enabled by default
      • Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00.
      • check X25519 key share is reused between classic and hybrid with ML-KEM
      • check P256 one is reused; if not, nudge upstream
      • resume with strsclnt a few times and verify every key share is unique
        [optional, hinges on being able to send two key shares though =/]
      • Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key
      • craft a file with EC private key only,
        should import into database and work for TLS connection
      • Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
      • check that the ECDHE FIPS pairwise consistency check
        in pkcs11c.c:NSC_GenerateKeyPair is triggered in FIPS mode
      • CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN is not in fips_algorithms.h
        [manual check]
      • Bug 1935925 - change default sensitivity of KEM keys.
      • connection decryption with SSLKEYLOGFILE keys
        still works when ML-KEM key shares are in use
      Show
      xyber cannot be negotiated GREASE [/CoreOS/nss/Sanity/GREASE] : should not be enabled by default Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00. check X25519 key share is reused between classic and hybrid with ML-KEM check P256 one is reused; if not, nudge upstream resume with strsclnt a few times and verify every key share is unique [optional, hinges on being able to send two key shares though =/] Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key craft a file with EC private key only, should import into database and work for TLS connection Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN check that the ECDHE FIPS pairwise consistency check in pkcs11c.c:NSC_GenerateKeyPair is triggered in FIPS mode CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN is not in fips_algorithms.h [manual check] Bug 1935925 - change default sensitivity of KEM keys. connection decryption with SSLKEYLOGFILE keys still works when ML-KEM key shares are in use
    • Pass
    • None
    • Rebase
    • Hide
      Version: NSS 3.112
      List of highlights:
      - add ml-dsa support for certificates and ssl
      - add ml-kem-1024 hybrid support for ssl
      Show
      Version: NSS 3.112 List of highlights: - add ml-dsa support for certificates and ssl - add ml-kem-1024 hybrid support for ssl
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Rebase NSS to nss 3.112 in RHEL-8 for Firefox.

      • include ml-dsa support
      • include mlkem1024 support.

              rrelyea Robert Relyea
              rrelyea Robert Relyea
              Robert Relyea Robert Relyea
              Alexander Sosedkin Alexander Sosedkin
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: