Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.7
Affects Version/s: rhel-9.7
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q3
- rn-yml

Fixed in Build:
crypto-policies-20250804-1.git2c74f3d.el9
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-16984
sprint_count:
1

AssignedTeam:
rhel-security-crypto

Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25August

Acceptance Criteria:

Hide

AC1) NSS generated policy for DEFAULT:PQ contains mlkem768x25519, mlkem768secp256r1, and mlkem1024secp384r1 MLKEM groups.

Show
AC1) NSS generated policy for DEFAULT:PQ contains mlkem768x25519, mlkem768secp256r1, and mlkem1024secp384r1 MLKEM groups.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/150605
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.`crypto-polices` enables ML-KEM for NSS

With this update, the `crypto-polices` component enables Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for NSS in the DEFAULT:PQ subpolicy. As a result, NSS use the ML-KEM in TLS if the system has enabled the PQ subpolicy or a custom subpolicy and the other peer supports it as well.

Show
.`crypto-polices` enables ML-KEM for NSS With this update, the `crypto-polices` component enables Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for NSS in the DEFAULT:PQ subpolicy. As a result, NSS use the ML-KEM in TLS if the system has enabled the PQ subpolicy or a custom subpolicy and the other peer supports it as well.
Release Note Status:
In Progress
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

as NSS nss-3.112 got support for hybrid groups with ML-KEM in TLS, we should enable it in crypto-policies. In RHEL-9 that'd be PQ subpolicy specifically.

Please enable the mlkem768x25519, mlkem768secp256r1, and mlkem1024secp384r1 groups

Using crypto-policies-20250721-1.git162e4cb.el9.noarch

is related to

RHEL-103963 enable ML-DSA in NSS in PQ subpolicy [rhel-9]

Release Pending

links to

RHBA-2025:150605 crypto-policies bug fix and enhancement update

Assignee:: Alexander Sosedkin

Reporter:: Alicja Kario

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/07/31 3:14 PM

Updated:: 2025/10/08 5:07 PM

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates