- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected
Related: CRYPTO-14303
Related: RHEL-36450
- nss: wire KYBER768 to XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
- openssh: make dss no longer enableble, support is dropped
- LEGACY: disable sign = *-SHA1
- DEFAULT: disable RSA key exchange
- nss: TLS-REQUIRE-EMS in FIPS
Resolves: RHEL-36300
Resolves: RHEL-50106
Resolves: RHEL-50464
Related: RHEL-18442
Related: RHEL-28848
Related: RHEL-45618
Related: RHEL-45620
Related: RHEL-5206
- Switch to a version based on Fedora 41 crypto-policies
(20240521-1.gitf71d135.fc41),
and replace the changelog with Fedora changelog
- Shape up RHEL-10: remove GOST-ONLY policy and GOST subpolicy
- Shape up RHEL-10: remove NEXT policy
- Shape up RHEL-10: remove BSI policy
- Shape up RHEL-10: remove TEST-FEDORA41 policy
- Shape up RHEL-10: remove NO-SHA1 subpolicy
- Shape up RHEL-10: remove SHA1 subpolicy
- Shape up RHEL-10: remove TEST-PQ policy
- Shape up RHEL-10: disable CAMELLIA in all policies...
- Shape up RHEL-10: drop FFDHE-1024 from LEGACY
- Shape up RHEL-10: DEFAULT: remove Fedora-only DSA-SHA1 RPM enablement
- Shape up RHEL-10: remove Fedora-specific __openssl_block_sha1_signatures...
- Shape up RHEL-10: disable 3DES in LEGACY
- Shape up RHEL-10: disable DSA
- Shape up RHEL-10: mark LEGACY as 80-bit security (@tomato42)
- Shape up RHEL-10: require TLSv1.2/DTLSv1.2 in all policies
- Shape up RHEL-10: requre 2048 bit params in LEGACY
- Shape up RHEL-10: FUTURE: disable CBC ciphers for all but krb5
- Shape up RHEL-10: disable DHE-DSS even in LEGACY
- Shape up RHEL-10: gnutls: explicit ECDSA-SECPNNNR1-SHANNN + reorder
- Shape up RHEL-10: openssh: disable DHE-FFDHE-1024-SHA1 server config hack
- Shape up RHEL-10: FIPS: disable SHA-1 HMAC in FIPS policy
- Shape up RHEL-10: FIPS: disable CBC ciphers except in Kerberos
- Shape up RHEL-10: policies/modules: update AD-SUPPORT away from RC4/MD5
- Shape up RHEL-10: drop DNSSEC SHA-1 exception from DEFAULT
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable
Resolves: RHEL-23494
Resolves: RHEL-18435
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
Resolves: RHEL-10730
Resolves: RHEL-11346
Resolves: RHEL-11349
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`
Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257
