Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.

NSS Updated to 3.112

With Oracle Linux 9.7, the NSS cryptographic toolkit packages are updated to upstream version 3.112 with many improvements and fixes.

See https://firefox-source-docs.mozilla.org/security/nss/releases/index.html for more information.

crypto-policies Include Post-Quantum Cryptography

Oracle Linux 9.7 introduces a PQ subpolicy in crypto-policies that enables post-quantum cryptography. Notable changes include:

  • DEFAULT, FUTURE, and FIPS policies now prioritize hybrid ML-KEM and pure ML-DSA algorithms for maximum security.

You can apply the PQ subpolicy, for example, by running update-crypto-policies --set DEFAULT:PQ.

You can apply the FIPS PQ subpolicy if the system is in FIPS mode, by running update-crypto-policies --set FIPS:PQ.

OpenSSL Updated to 3.5

With Oracle Linux 9.7, OpenSSL is updated to version 3.5 and includes ML-KEM, ML-DSA, SLH-DSA, QUIC transport, and additional post-quantum and modern cryptography features.

You can now improve security for TLS connections and cryptographic operations in Oracle Linux environments, preparing systems for a quantum-safe future.

OpenSSL SSLKEYLOGFILE Environment Variable For Debugging

With Oracle Linux 9.7, use the SSLKEYLOGFILE environment variable to instruct OpenSSL to log TLS connection secrets to a file.

Caution:

Only enable this feature in test or debug environments. Logging key material can introduce security risks.

Hybrid ML-KEM Cryptography Works in FIPS Mode

Oracle Linux 9.7 adds FIPS mode support for hybrid Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM), so OpenSSL uses both classical and post-quantum algorithms for key exchanges.

fips-provider-next Package Added

The fips-provider-next package introduces the next version of the FIPS provider for OpenSSL. The package is under review with the National Institute of Standards and Technology (NIST) for validation. The openssl-fips-provider remains the validated FIPS provider.

To switch to the fips-provider-next, run the following command: 

sudo dnf swap openssl-fips-provider fips-provider-next

The fips-provider-next package is available as a technical preview.

Keylime Updated to Version 7.12.1

Oracle Linux 9.7 updates Keylime to version 7.12.1.

See https://github.com/keylime/keylime/releases/tag/v7.12.1 for more information.

openCryptoki Updated to Version 3.25.0

Version 3.25.0 of the openCryptoki packages is now available.

See https://github.com/opencryptoki/opencryptoki/releases/tag/v3.25.0 for more information.