Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-46839

Rebase NSS to 3.101 for Firefox [rhel-10.0]

    • nss-3.101.0-1.el10
    • None
    • Moderate
    • Rebase
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 30
    • 0.1
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide
      • DTLS 1.3: can be negotiated by default
      • "XYBER768D00': should be off by default,
        i.e., not negotable even if it's the only kex enabled
      • Certificate compression:
      • is advertised by default
      • smoke-tested against openssl for both server and client certificates
      • (optional) smoke-tested against gnutls for both server and client certificates
      • (optional) for zlib certificate decompressing to longer than uncompressed_length,
        nss server rejects the connection with `bad certificate` alert,
        and extra memory usage does not exceed 2^25 (32 MB)
      • EdDSA:
      • NSS can connect to itself using using Ed25519 server and client certificates
      • NSS can connect to itself using using Ed448 server and client certificates
      • (optional) run the available tlsfuzzer/test-tls13-eddsa-in-certificate-verify checks
      • RSA OAEP:
        (optional) can decrypt RSA-OAEP padded message
        encrypted by openssl/gnutls and vice versa
      • dbtool: is shipped under unsupported directory
      • PBMAC1:
        smoke-test that openssl/gnutls can export/import files used by nss
        using all three of SHA-256, SHA-384 and SHA-512
      • RSA-PSS certificates with keys shorter than 2048 stop working
      Show
      DTLS 1.3: can be negotiated by default "XYBER768D00': should be off by default, i.e., not negotable even if it's the only kex enabled Certificate compression: is advertised by default smoke-tested against openssl for both server and client certificates (optional) smoke-tested against gnutls for both server and client certificates (optional) for zlib certificate decompressing to longer than uncompressed_length, nss server rejects the connection with `bad certificate` alert, and extra memory usage does not exceed 2^25 (32 MB) EdDSA: NSS can connect to itself using using Ed25519 server and client certificates NSS can connect to itself using using Ed448 server and client certificates (optional) run the available tlsfuzzer/test-tls13-eddsa-in-certificate-verify checks RSA OAEP: (optional) can decrypt RSA-OAEP padded message encrypted by openssl/gnutls and vice versa dbtool: is shipped under unsupported directory PBMAC1: smoke-test that openssl/gnutls can export/import files used by nss using all three of SHA-256, SHA-384 and SHA-512 RSA-PSS certificates with keys shorter than 2048 stop working
    • Pass
    • None
    • Rebase
    • Hide
      .RHEL 10 provides NSS in version 3.101

      The NSS cryptographic toolkit packages are provided in version 3.101 in RHEL 10, which provides many bug fixes and enhancements. The most notable changes are the following:

      * DTLS 1.3 protocol is now supported (RFC 9147).
      * PBMAC1 support has been added to PKCS #12 (RFC 9579).
      * Experimental support for X25519Kyber768Draft00 hybrid post-quantum key agreement has been added (`draft-tls-westerbaan-xyber768d00`). It will be removed in a future release.
      * `lib::pkix` is the default validator in RHEL 10.
      * RSA certificates with keys shorter than 2048 bits stop working in SSL servers, in accordance with the system-wide cryptographic policy.
      Show
      .RHEL 10 provides NSS in version 3.101 The NSS cryptographic toolkit packages are provided in version 3.101 in RHEL 10, which provides many bug fixes and enhancements. The most notable changes are the following: * DTLS 1.3 protocol is now supported (RFC 9147). * PBMAC1 support has been added to PKCS #12 (RFC 9579). * Experimental support for X25519Kyber768Draft00 hybrid post-quantum key agreement has been added (`draft-tls-westerbaan-xyber768d00`). It will be removed in a future release. * `lib::pkix` is the default validator in RHEL 10. * RSA certificates with keys shorter than 2048 bits stop working in SSL servers, in accordance with the system-wide cryptographic policy.
    • Done
    • All
    • None

      We need to rebase NSS to 3.101 in RHEL-10, RHEL-9.2.0.z and later, and RHEL-8.8.0.z and later for the upcoming Firefox release

              rrelyea@redhat.com Robert Relyea
              rrelyea@redhat.com Robert Relyea
              Robert Relyea Robert Relyea
              Alexander Sosedkin Alexander Sosedkin
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: