Loading...

XML

Word

Printable

Acceptance Criteria:
Hide

AC proposal:

[Sanity/retention] /etc/crypto-policies/back-ends/nss.config

for DEFAULT and other key policies: contains no `TLS-REQUIRE-EMS` keyword

for FIPS: contains a `TLS-REQUIRE-EMS` keyword under `config=`

for FIPS:NO-ENFORCE-EMS: contains no `TLS-REQUIRE-EMS` keyword

[manual inspection] crypto-policies conflicts with a versions of NSS older than the one that understands the keyword
Show
AC proposal: [Sanity/retention] /etc/crypto-policies/back-ends/nss.config for DEFAULT and other key policies: contains no `TLS-REQUIRE-EMS` keyword for FIPS: contains a `TLS-REQUIRE-EMS` keyword under `config=` for FIPS:NO-ENFORCE-EMS: contains no `TLS-REQUIRE-EMS` keyword [manual inspection] crypto-policies conflicts with a versions of NSS older than the one that understands the keyword

crypto-policies in Fedora and, soon, c10s, doesn't use TLS-REQUIRE-EMS keyword when generating NSS configs.

Filing it as a bug instead of fixing it right away because

c10s NSS does not currently recognize the keyword (RHEL-36299)
I don't want to create workarounds for tests only to remove them later
if I do and it's silently fixed, I won't remember to fix the same thing in Fedora

depends on

RHEL-36299 c10s nss needs to become aware of TLS-REQUIRE-EMS