Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: nss
Labels:
- Accepted
- CY25Q3
- Committed
- Regresssion

Regression:
No
Severity:
Moderate
Epic Link:
CRYPTO-15443
sprint_count:
1

AssignedTeam:
rhel-security-crypto

Dev Target Milestone:
24
Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto25August

Acceptance Criteria:
Hide

The following existing NSS tests start passing again:

-/Interoperability/Hybrid-ML-KEM-in-TLS

-/Interoperability/ML-KEM-interoperability-with-GnuTLS

-/Interoperability/ML-KEM-interoperability-with-OpenSSL
Show
The following existing NSS tests start passing again: -/Interoperability/Hybrid-ML-KEM-in-TLS -/Interoperability/ML-KEM-interoperability-with-GnuTLS -/Interoperability/ML-KEM-interoperability-with-OpenSSL
Preliminary Testing:
None
Errata Link:
https://errata.engineering.redhat.com/advisory/152258
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

nss-3.112.0-1.el10_0 has regressed: NSS-POLICY-FAIL allow: unknown identifier: mlkem768secp256r1

example config enabling both ML-DSA and ML-KEM

library=p11-kit-proxy.so
name=p11-kit-proxy


library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:mlkem768x25519:mlkem768secp256r1:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm/ssl:chacha20-poly1305/ssl:aes256-cbc:aes128-gcm/ssl:aes128-cbc:des-ede3-cbc/pkcs12-legacy,smime:rc2/pkcs12-legacy,smime-legacy:rc2-40-cbc/pkcs12-legacy,smime-legacy:rc2-64-cbc/pkcs12-legacy,smime-legacy:rc2-128-cbc/pkcs12-legacy,smime-legacy:SHA256:SHA384:SHA512:SHA3-256:SHA3-384:SHA3-512:SHA224:SHA3-224:SHA1/pkcs12-legacy:ECDHE-RSA/ssl-key-exchange:ECDHE-ECDSA/ssl-key-exchange:DHE-RSA/ssl-key-exchange:RSA-PKCS/smime-key-exchange:RSA-OAEP/smime-key-exchange:DH/smime-key-exchange:ECDH/smime-key-exchange:ML-DSA-44:ML-DSA-65:ML-DSA-87:ECDSA:ED25519:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"

before, nss-3.101.0-13.el10.x86_64

[root@rhel-10-1-20250626-1 ~]# nss-policy-check -f identifier -f value cfg
NSS-POLICY-FAIL allow: unknown identifier: ML-DSA-44
NSS-POLICY-FAIL allow: unknown identifier: ML-DSA-65
NSS-POLICY-FAIL allow: unknown identifier: ML-DSA-87
...

after, nss-3.112.0-1.el10_0.x86_64

[root@rhel-10-1-20250626-1 ~]# nss-policy-check -f identifier -f value cfg
NSS-POLICY-FAIL allow: unknown identifier: mlkem768secp256r1
...

blocks

RHEL-103962 enable ML-DSA in NSS in crypto-policies

Release Pending

links to

RHEA-2025:152258 nss enhancement update

Assignee:: Robert Relyea

Reporter:: Alexander Sosedkin

Developer:: Robert Relyea

QA Contact:: Ondrej Moris

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/07/16 9:39 AM

Updated:: 2025/09/08 3:27 PM

Resolved:: 2025/09/08 3:27 PM

Dev Target end:: 2025/08/11

Target end:: 2025/08/25

Next Planned Release Date:: 1970/01/01

Release Date:: 2025/09/08

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates