diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 4feb013..c27023d 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+
 -------------------------------------------------------------------
 Fri Feb 23 11:55:45 UTC 2024 - pgajdos@suse.com
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 76024fd..67dddeb 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -21,6 +21,7 @@
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
+%global crypto_policies_version 20210118
 Name:           mozilla-nss
 Version:        3.97
 Release:        0
@@ -95,6 +96,9 @@ BuildRequires:  jitterentropy-devel
 Requires(pre):  libjitterentropy3
 Requires:       libjitterentropy3
 %endif
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies >= %{crypto_policies_version}
+%endif
 Requires:       libfreebl3 >= %{nss_softokn_fips_version}
 Requires:       libsoftokn3 >= %{nss_softokn_fips_version}
 Requires:       mozilla-nspr >= %{NSPR_min_version}
@@ -277,6 +281,13 @@ export NSS_ENABLE_FIPS_INDICATORS=1
 export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\""
 #export SQLITE_LIB_NAME=nsssqlite3
 export MAKE_FLAGS="BUILD_OPT=1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss.config"
+# location of the policy file
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+%endif
 EOF
 
 source ../obsenv.sh
@@ -298,6 +309,11 @@ export HOST="localhost"
 export DOMSUF="localdomain"
 export USE_IP=TRUE
 export IP_ADDRESS="127.0.0.1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+%endif
 EOF
 source ../obsenv.sh
 source ../obstestenv.sh
@@ -462,6 +478,11 @@ fi
 
 %postun sysinit -p /sbin/ldconfig
 
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%posttrans
+update-crypto-policies &> /dev/null || :
+%endif
+
 %files
 %{_libdir}/libnss3.so
 %{_libdir}/libnssutil3.so