Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q3
- rn-yml

Fixed in Build:
crypto-policies-20250804-1.git2ca4115.el10
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-16330
sprint_count:
1

AssignedTeam:
rhel-security-crypto

Internal Target Milestone:
26
Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25August

Acceptance Criteria:

Hide

AC1) Generated policy for NSS contains all three mlkem groups, ie. mlkem768x25519, mlkem768secp256r1 and mlkem1024secp384r1.

Show
AC1) Generated policy for NSS contains all three mlkem groups, ie. mlkem768x25519, mlkem768secp256r1 and mlkem1024secp384r1.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/148296
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.`crypto-policies` enables `secp384r1mlkem1024`

With this update, the `crypto-polices` component enables the `secp384r1mlkem1024` hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) group for NSS. The addition of `secp384r1mlkem1024` completes `crypto-policies` enabling all three hybrid ML-KEM groups, `mlkem768x25519`, `secp256r1mlkem768`, and `secp384r1mlkem1024`. As a result, NSS considers `secp384r1mlkem1024` for negotiation in TLS if enabled by the currently active system-wide cryptographic policy, such as DEFAULT.

Show
.`crypto-policies` enables `secp384r1mlkem1024` With this update, the `crypto-polices` component enables the `secp384r1mlkem1024` hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) group for NSS. The addition of `secp384r1mlkem1024` completes `crypto-policies` enabling all three hybrid ML-KEM groups, `mlkem768x25519`, `secp256r1mlkem768`, and `secp384r1mlkem1024`. As a result, NSS considers `secp384r1mlkem1024` for negotiation in TLS if enabled by the currently active system-wide cryptographic policy, such as DEFAULT.
Release Note Status:
Done
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

The new NSS in RHEL-10.1 supports all three hybrid ML-KEM groups, but crypto-policies enable only mlkem768x25519 and mlkem768secp256r1, please add also mlkem1024secp384r1.

Using crypto-policies-20250714-1.git95bf40e.el10.noarch

Also, probably the names are wrong? shouldn't they be secp256r1mlkem768 and secp384r1mlkem1024 (to mirror the on-the-wire order)?

relates to

RHEL-70820 Support SecP384r1MLKEM1024 in TLS in NSS

Closed

links to

RHBA-2025:148296 crypto-policies bug fix and enhancement update

Assignee:: Alexander Sosedkin

Reporter:: Alicja Kario

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/07/31 3:33 PM

Updated:: 2025/11/11 8:29 AM

Resolved:: 2025/11/11 8:29 AM

Target end:: 2025/08/25

Next Planned Release Date:: 2025/11/11

Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates