Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.8
Affects Version/s: None
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q4

Fixed in Build:
crypto-policies-20251126-1.gite9c4db2.el9
Severity:
Moderate
Epic Link:
CRYPTO-18570
sprint_count:
1

AssignedTeam:
rhel-security-crypto-spades

Internal Target Milestone:
26
Story Points:
0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25-11

Acceptance Criteria:

Hide

AC1) GROUP-X25519-MLKEM768/GROUP-SECP256R1-MLKEM768/GROUP-SECP384R1-MLKEM1024 are in tls-enabled-group and ML-DSA-44/ML-DSA-65/ML-DSA-87 are in secure-sig/secure-sig-for-cert when PQ subpolicy is applied.

Note: This is covered by /Sanity/retention (crypto-policie) and it is also a good idea to run /Sanity/PQ (crypto-policies).

Show
AC1) GROUP-X25519-MLKEM768/GROUP-SECP256R1-MLKEM768/GROUP-SECP384R1-MLKEM1024 are in tls-enabled-group and ML-DSA-44/ML-DSA-65/ML-DSA-87 are in secure-sig/secure-sig-for-cert when PQ subpolicy is applied. Note: This is covered by /Sanity/retention (crypto-policie) and it is also a good idea to run /Sanity/PQ (crypto-policies).
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/156662
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement: crypto-policies adds gnutls support for hybrid ML-KEM and pure ML-DSA post-quantum algorithms
Reason: gnutls gained support for these algorithms in a rebase to 3.8.10
Result: gnutls will be able to negotiate TLS connections using hybrid ML-KEM and/or pure ML-DSA if the other side supports them and PQ subpolicy is applied

Show
Feature, enhancement: crypto-policies adds gnutls support for hybrid ML-KEM and pure ML-DSA post-quantum algorithms Reason: gnutls gained support for these algorithms in a rebase to 3.8.10 Result: gnutls will be able to negotiate TLS connections using hybrid ML-KEM and/or pure ML-DSA if the other side supports them and PQ subpolicy is applied
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Since we're rebasing gnutls in 9.8 for PQ support (https://issues.redhat.com/browse/CRYPTO-18414), we should as well plan a matching crypto-policies update to have the new algorithms enableable. This should be a straightforward backport from 10.

is caused by

RHEL-125971 rebase gnutls in 9.8 to 3.8.10

Release Pending

links to

RHBA-2025:156662 crypto-policies update

Assignee:: Alexander Sosedkin

Reporter:: Alexander Sosedkin

Developer:: Alexander Sosedkin

QA Contact:: Conor Tull

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/11/12 12:52 PM

Updated:: 2025/12/16 10:30 AM

Target end:: 2026/02/23

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates