Update from upstream (java, RSA in DEFAULT, SHA1 in LEGACY...)

- nss: wire KYBER768 to XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
- openssh: make dss no longer enableble, support is dropped
- LEGACY: disable sign = *-SHA1
- DEFAULT: disable RSA key exchange
- nss: TLS-REQUIRE-EMS in FIPS

Resolves: RHEL-36300
Resolves: RHEL-50106
Resolves: RHEL-50464
Related: RHEL-18442
Related: RHEL-28848
Related: RHEL-45618
Related: RHEL-45620
Related: RHEL-5206

crypto-policies.spec

@@ -1,12 +1,12 @@
-%global git_date 20240522
-%global git_commit 77963ab9f1d0a705440f4167dcabe13f1e9a5301
+%global git_date 20240725
+%global git_commit 3de485cace4a8b42aa9b974f1ece54f03e29b603
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
 
 %global _python_bytecompile_extra 0
 
 Name:           crypto-policies
 Version:        %{git_date}
-Release:        2.git%{git_commit_hash}%{?dist}
+Release:        1.git%{git_commit_hash}%{?dist}
 Summary:        System-wide crypto policies
 
 License:        LGPL-2.1-or-later
@@ -59,10 +59,12 @@ to enable or disable the system FIPS mode.
 %autopatch -p1
 
 %build
+%if 0%{?rhel} == 11
 # currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch
 sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
   python/policygenerators/nss.py tests/nss.py
 sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
+%endif
 
 %make_build
 
@@ -132,6 +134,10 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
     end
 end
 
+%pre
+# Drop removed javasystem backend; can be dropped in 11
+rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" || :
+
 %posttrans scripts
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
 
@@ -192,10 +198,28 @@ end
 %{_mandir}/man8/fips-finish-install.8*
 
 %changelog
+* Thu Jul 25 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240725-1.git3de485c
+- nss: wire KYBER768 to X25519-XYBER768D00
+- java: start controlling / disable DTLSv1.0
+- java: disable anon ciphersuites, tying them to NULL
+- java: respect more key size restrictions
+- java: specify jdk.tls.namedGroups system property
+- java: make hash, mac and sign more orthogonal
+- fips-mode-setup: add another scary "unsupported"
+- fips-mode-setup: flashy ticking warning upon use
+- java: use and include jdk.disabled.namedCurves
+- ec_min_size: introduce and use in java, default to 256
+- java: stop specifying jdk.tls.namedGroups in javasystem
+- java: drop unused javasystem backend
+- openssh: make dss no longer enableble, support is dropped
+- LEGACY: disable sign = *-SHA1
+- DEFAULT: disable RSA key exchange
+- nss: TLS-REQUIRE-EMS in FIPS
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 20240522-2.git77963ab
 - Bump release for June 2024 mass rebuild
 
-* Tue May 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240522-1.git77963ab
+* Wed May 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240522-1.git77963ab
 - Switch to a version based on Fedora 41 crypto-policies
   (20240521-1.gitf71d135.fc41),
   thus replace the changelog below with Fedora changelog

sources

@@ -1 +1 @@
-SHA512 (crypto-policies-git77963ab.tar.gz) = 8bbe8c53582d86f9508f8c3c1516fed61d9f75e8c3a5b96eb0c24db7671cee10b10bf1c527453593e5bc59832806f42ed0249a5b5edf32db45bc4aa911313a61
+SHA512 (crypto-policies-git3de485c.tar.gz) = 776b93d9c9ae30f2fa75ef2fefdb32b7df8d680bdd37375917a61c94055ec9195801d61992593dd9ce68f501c429478a7f7b9419d8964d97601ae82877c1a24c