-
Bug
-
Resolution: Done
-
Normal
-
rhel-10.0
-
None
-
Moderate
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
24
-
27
-
3
-
False
-
-
Yes
-
Crypto24Q3
-
-
Pass
-
Enabled
-
Automated
-
Removed Functionality
-
-
Done
-
-
All
-
None
Several old algorithms that have little to no use and are disabled by default need to be disabled completely:
1) SEED, the former national cipher of Korea. This has been disabled upstream for several years. A single #define in the SPEC file will disable it for NSS.
2) DSA, this is a signing aglorithm, created by NIST and now completely deprecated by NIST in favor of RSA and ECDSA (and eventually SHB-DSA, ML-DSA and FN-DSA). This requires disabling CKM_DSA_XXX in PKCS #11 (under a #define) and including that #define in the SPEC. It will also require dropping or modifying tests in NSS upstream tests of DSA.
NOTE: DSA parameter gen is used extensively in testing of weak Diffie-Helman code (mostly to make sure we properly reject weak Diffie-Helman by default, so it will stay until we deprecate DH.
- links to
-
RHBA-2024:136536 nss bug fix and enhancement update