Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.2
Component/s: crypto-policies
Labels:
- rn-yml

Fixed in Build:
crypto-policies-20260216-1.git0e54016.el10
Severity:
Moderate
Epic Link:
CRYPTO-18402

AssignedTeam:
rhel-security-crypto-spades

Internal Target Milestone:
26
Story Points:
0
Target Version:

rhel-10.2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:

Hide

AC) mlkem768x25519-sha256 becomes the top kex in all libssh policies we ship

Show
AC) mlkem768x25519-sha256 becomes the top kex in all libssh policies we ship
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/156679
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement: crypto-policies now supports mlkem768x25519-sha256 in libssh
Reason: libssh 0.12 now supports mlkem768x25519-sha256 key exchange
Result: mlkem768x25519-sha256 effectively enabling it by default with the highest priority in all the predefined cryptographic policies shipped in RHEL, bringing it closer to openssh

Show
Feature, enhancement: crypto-policies now supports mlkem768x25519-sha256 in libssh Reason: libssh 0.12 now supports mlkem768x25519-sha256 key exchange Result: mlkem768x25519-sha256 effectively enabling it by default with the highest priority in all the predefined cryptographic policies shipped in RHEL, bringing it closer to openssh
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Libssh 0.12 will support MLKEM key exchange and we need to crypto-policies to support that as well (in all base policies, analogously to openssh mlkem support).

is blocked by

RHEL-133421 Rebase libssh to 0.12.0

Release Pending

is related to

RHEL-148617 Support for hybrid ML-KEM key exchange in libssh in FIPS mode

Planning

links to

RHBA-2025:156679 crypto-policies update

upstream Fedora MR

upstream RHEL-10 MR

(1 links to)

Assignee:: Ondrej Moris

Reporter:: Ondrej Moris

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/12/04 1:22 PM

Updated:: 2026/02/23 4:14 PM

Target end:: 2026/02/23

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates