Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-104169

Rebase NSS For Firefox RHEL 8

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • nss-3.112.0-4.el8_10
    • No
    • Important
    • 1
    • rhel-security-crypto-clubs
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25August
    • Hide
      • xyber cannot be negotiated
      • GREASE [/CoreOS/nss/Sanity/GREASE]: should not be enabled by default
      • Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00.
      • check X25519 key share is reused between classic and hybrid with ML-KEM
      • check P256 one is reused; if not, nudge upstream
      • resume with strsclnt a few times and verify every key share is unique
        [optional, hinges on being able to send two key shares though =/]
      • Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key
      • craft a file with EC private key only,
        should import into database
      • Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
      • check that the ECDHE FIPS pairwise consistency check
        in pkcs11c.c:NSC_GenerateKeyPair is triggered in FIPS mode
      • CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN is not in fips_algorithms.h
        [manual check]
      • Bug 1935925 - change default sensitivity of KEM keys.
      • connection decryption with SSLKEYLOGFILE keys
        still works when ML-KEM key shares are in use
      Show
      xyber cannot be negotiated GREASE [/CoreOS/nss/Sanity/GREASE] : should not be enabled by default Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00. check X25519 key share is reused between classic and hybrid with ML-KEM check P256 one is reused; if not, nudge upstream resume with strsclnt a few times and verify every key share is unique [optional, hinges on being able to send two key shares though =/] Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key craft a file with EC private key only, should import into database Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN check that the ECDHE FIPS pairwise consistency check in pkcs11c.c:NSC_GenerateKeyPair is triggered in FIPS mode CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN is not in fips_algorithms.h [manual check] Bug 1935925 - change default sensitivity of KEM keys. connection decryption with SSLKEYLOGFILE keys still works when ML-KEM key shares are in use
    • Pass
    • Automated, Manual, RegressionOnly, New Test Coverage
    • Rebase
    • Hide
      Version: nss-3.112
      List of highlights:
      -mldsa support for certificates and ssl
      -mlkem1024 hybrid support for ssl
      Show
      Version: nss-3.112 List of highlights: -mldsa support for certificates and ssl -mlkem1024 hybrid support for ssl
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      We need to nss-3.112 For firefox on RHEL-8.
      This rebase will include the same ml-dsa and mlkem1024 updates as RHEL-10 and RHEL-9

              rrelyea Robert Relyea
              rrelyea Robert Relyea
              Robert Relyea Robert Relyea
              Alexander Sosedkin Alexander Sosedkin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: