-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.beta
-
crypto-policies-20240802-1.git8cb6f2d.el10
-
No
-
None
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
24
-
30
-
5
-
False
-
-
Yes
-
Crypto24Q3
-
-
Pass
-
Not Needed
-
Manual
-
Enhancement
-
-
Done
-
None
NSS 3.101 rebase brought in new pkcs12 import/export controls that fail closed. In 8 and 9 we patch it back,
in 10 we'd better control that through crypto-policies using `cipher@pkcs12` syntax.
Expectations:
LEGACY: import/export works for every previously supported algorithm
DEFAULT: export: only AES with SHA-2 PRF and SHA-2 MAC or SHA-2 PBMAC1; import: same as for export + 3DES + RC2 + SHA-1 PRF and MAC
FIPS: import/export: only AES with SHA-2 PRF and SHA-2 PBMAC1; test if SHA-2 MAC work, if they do: document that it's not compliant
FUTURE: same as FIPS but SHA-2 MAC can work
+ the change is limited to adding <algname>/pkcs12 and <algname>/pkcs12-legacy to allow= of NSS (Sanity/retention)
+ it's documented that @pkcs12 is currently only respected by nss
- links to
-
RHBA-2024:132324 crypto-policies bug fix and enhancement update