Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36300

c10s crypto-policies needs to start controlling TLS-REQUIRE-EMS NSS keyword

XMLWordPrintable

    • crypto-policies-20240725-1.git3de485c.el10
    • None
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 0.5
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • Crypto24Q3
    • Hide

      AC1) There is no TLS-REQUIRE-EMS in LEGACY, DEFAULT, FUTURE and FIPS:NO-ENFORCE-EMS generated policy for nss.

      AC2) In FIPS TLS-REQUIRE-EMS is placed in the config= section on generated policy for NSS.

      AC3) crypto-policies conflicts with a versions of NSS older than the one that understands the keyword.

      Show
      AC1) There is no TLS-REQUIRE-EMS in LEGACY, DEFAULT, FUTURE and FIPS:NO-ENFORCE-EMS generated policy for nss. AC2) In FIPS TLS-REQUIRE-EMS is placed in the config= section on generated policy for NSS. AC3) crypto-policies conflicts with a versions of NSS older than the one that understands the keyword.
    • Pass
    • Enabled
    • Automated
    • Proposed
    • None

      crypto-policies in Fedora and, soon, c10s, doesn't use TLS-REQUIRE-EMS keyword when generating NSS configs.

      Filing it as a bug instead of fixing it right away because

      1. c10s NSS does not currently recognize the keyword (RHEL-36299)
      2. I don't want to create workarounds for tests only to remove them later
      3. if I do and it's silently fixed, I won't remember to fix the same thing in Fedora

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: