AC1) NSS generated policy allows the following: LEGACY: rc2-40-cbc, des-cbc, rc2-64-cbc, rc2-128-cbc, des-ede3-cbc, aes128-cbc, aes256-cbc                  DEFAULT: des-ede3-cbc, aes128-cbc, aes256-cbc, rc2-*-cbc/legacy FUTURE: aes128-cbc. aes256-cbc, des-ede3-cbc/legacy                  FIPS: aes128-cbc, aes256-cbc AC2) it's documented that @pkcs12 is currently only respected by nss AC3) Is is possible to control pkcs12 import/export controls by pkcs12 scope in NSS (only).

.The `DEFAULT` cryptographic policy uses additional scopes The `crypto-policies` package now offers additional scopes `@pkcs12`, `@pkcs12-legacy`, `@smime`, and `@smime-legacy`, and uses them in the `DEFAULT` system-wide cryptographic policy. The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges: ---- cipher@pkcs12 = AES-256-CBC AES-128-CBC cipher@pkcs12-import = 3DES-CBC+ RC2-CBC+ cipher@smime = AES-256-CBC AES-128-CBC 3DES-CBC cipher@smime-import = RC2-CBC+ hash@{pkcs12,smime} = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 \ SHA2-224 SHA3-224 hash@{pkcs12-import,smime} = SHA1+ key_exchange@smime = RSA DH ECDH ---- The `LEGACY` cryptographic policy uses a less strict selection of ciphers, hashes, and key exchanges than the `DEFAULT` policy, whereas the `FUTURE` policy is stricter. As a result, you can customize the algorithms used in NSS for importing and exporting PKCS #12 files and S/MIME encryption and decryption. NSS is currently the only cryptographic library linked to the newly offered scopes.