diff --git a/_service b/_service
index 714f6a9..c304113 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">%cd.%h</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
+    <param name="revision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>
diff --git a/_servicedata b/_servicedata
index 2be1946..5ed3ec5 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
-              <param name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>
\ No newline at end of file
+              <param name="changesrevision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param></service></servicedata>
\ No newline at end of file
diff --git a/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch b/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
new file mode 100644
index 0000000..fa07f44
--- /dev/null
+++ b/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
@@ -0,0 +1,15 @@
+Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/openssl.py
+===================================================================
+--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/openssl.py
++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/openssl.py
+@@ -312,8 +312,8 @@ class OpenSSLConfigGenerator(OpenSSLGene
+         'SECP256R1': 'secp256r1',
+         'SECP384R1': 'secp384r1',
+         'SECP521R1': 'secp521r1',
+-        'X25519': 'X25519',
+-        'X448': 'X448',
++        'X25519': '?X25519',
++        'X448': '?X448',
+         'FFDHE-2048': 'ffdhe2048',
+         'FFDHE-3072': 'ffdhe3072',
+         'FFDHE-4096': 'ffdhe4096',
diff --git a/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
new file mode 100644
index 0000000..c7c3e96
--- /dev/null
+++ b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
@@ -0,0 +1,50 @@
+diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
+--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol	2025-01-24 18:31:31.000000000 +0100
++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol	2025-03-18 14:39:54.565216139 +0100
+@@ -15,9 +15,11 @@
+ 
+ mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
+ mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1
++mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
+ 
+ group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+         FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
++group@SSH = -X25519
+ 
+ hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \
+        SHAKE-256
+@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM
+ 
+ # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks
+ # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014).
+-cipher@SSH = -*-CBC
++# disable also chachapoly, as we might run DEFAULT in FIPS mode too.
++cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR
+ 
+ # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have
+ # interoperability issues in TLS.
+diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt
+--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt	2025-01-24 18:31:31.000000000 +0100
++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt	2025-03-18 14:40:54.831266197 +0100
+@@ -1,5 +1,5 @@
+-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+ GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+ KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+ HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt
+--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt	2025-01-24 18:31:31.000000000 +0100
++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt	2025-03-18 15:41:32.234673018 +0100
+@@ -1,7 +1,8 @@
+-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+ GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+ KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+ PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+ HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+ CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch
index b955c4c..c30993a 100644
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@@ -1,7 +1,7 @@
-Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
 ===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
 @@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
  	exit 1
  fi
@@ -22,36 +22,48 @@ Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
  
  # Detect 1: kernel FIPS flag
  fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-@@ -204,9 +217,22 @@ else
-         fi
+@@ -167,10 +180,10 @@ if test $check = 1 ; then
  fi
  
+ # Boot configuration
 -if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
--	echo "The grubby command is missing, please configure the bootloader manually."
+-	echo >&2 "The grubby command is missing, please configure the bootloader manually."
 -	boot_config=0
+-fi
++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
++# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
++# 	boot_config=0
++# fi
+ 
+ if test "$boot_config" = 1 && test ! -d /boot ; then
+ 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
+@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then
+ 	fi
+ fi
+ 
 +if test "$boot_config" = 1 ; then
 +	# Install required packages: patterns-base-fips and perl-Bootloader
 +	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
 +		test ! -x "$(command -v pbl)" && \
 +		test "$enable_fips" = 1; then
-+		zypper -n install patterns-base-fips perl-Bootloader
++            zypper -n install patterns-base-fips perl-Bootloader
 +	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
 +		test "$enable_fips" = 1 ; then
-+		zypper -n install patterns-base-fips
++            zypper -n install patterns-base-fips
 +	elif test ! -x "$(command -v pbl)" ; then
-+		zypper -n install perl-Bootloader
++            zypper -n install perl-Bootloader
 +	fi
 +	if test $? != 0 ; then
-+		echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
-+		boot_config=0
++            echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
++            boot_config=0
 +	fi
- fi
- 
++fi
++
  echo "FIPS mode will be $(enable2txt $enable_fips)."
-@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
- 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
- 	echo "and reboot the system for the setting to take effect."
- else
+ 
+ fipsopts="fips=$enable_fips$boot_device_opt"
+ 
+ if test "$boot_config" = 1 ; then
 -	grubby --update-kernel=ALL --args="$fipsopts"
 -	if test x"$(uname -m)" = xs390x; then
 -		if command -v zipl >/dev/null; then
@@ -62,7 +74,7 @@ Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
 -		fi
 -	fi
 +	pbl --add-option "$fipsopts"
-+	grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
++	pbl --config; pbl --install && dracut -f --regenerate-all
 +
 +	# grubby --update-kernel=ALL --args="$fipsopts"
 +	# if test x"$(uname -m)" = xs390x; then
@@ -75,12 +87,12 @@ Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
 +	# fi
 +
  	echo "Please reboot the system for the setting to take effect."
- fi
- 
-Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
+ else
+ 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
+Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install
 ===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
-+++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install
++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install
 @@ -24,6 +24,15 @@ fi
  
  umask 022
@@ -151,10 +163,10 @@ Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
 +# 		echo '`zipl` execution has been skipped: `zipl` not found.'
 +# 	fi
 +# fi
-Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
 ===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
 @@ -45,6 +45,23 @@ Then the command modifies the boot loade
  When disabling the system FIPS mode the system crypto policy is switched
  to DEFAULT and the kernel command line option 'fips=0' is set.
@@ -179,3 +191,129 @@ Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
  
  [[options]]
  OPTIONS
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
+===================================================================
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
+@@ -8,7 +8,6 @@ check=0
+ boot_config=1
+ err_if_disabled=0
+ output_text=1
+-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+ 
+ is_ostree_system=0
+ if test -f /run/ostree-booted -o -d /ostree; then
+@@ -61,18 +60,13 @@ while test $# -ge 1 ; do
+ done
+ 
+ if test $usage = 1 -o x$enable_fips = x ; then
+-	echo "Check, enable, or disable (unsupported) the system FIPS mode."
++	echo "Check, enable, or disable the system FIPS mode."
+ 	echo "usage: $0 --enable|--disable [--no-bootcfg]"
+ 	echo "usage: $0 --check"
+ 	echo "usage: $0 --is-enabled"
+ 	exit 2
+ fi
+ 
+-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then
+-	echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg."
+-	boot_config=0
+-fi
+-
+ # We don't handle the boot config on OSTree systems for now; it is assumed to be
+ # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is
+ # intrinsically tied to the firstboot procedure.
+@@ -186,12 +180,6 @@ if test $check = 1 ; then
+ 	exit 0
+ fi
+ 
+-# Boot configuration
+-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+-# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
+-# 	boot_config=0
+-# fi
+-
+ if test "$boot_config" = 1 && test ! -d /boot ; then
+ 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
+ 	echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg."
+@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$
+ 	exit 1
+ fi
+ 
+-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \
+-		test -x "$(command -v cryptsetup)" ; then
+-	# Best-effort detection of LUKS Argon2 usage
+-	argon2_found=''
+-	# two redundant ways to list device names
+-	devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \
+-		dmsetup ls --target crypt | cut -f1) \
+-		| sort -u)
+-		while IFS= read -r devname; do
+-			back=$(cryptsetup status "$devname" | \
+-				grep -F device: |
+-				sed -E 's/.*device:\s+//')
+-			if ! test -b "$back"; then
+-				echo >&2 -n "Warning: detected device '$back' "
+-				echo >&2 -n 'is not a valid block device. '
+-				echo >&2 'Cannot check whether it uses Argon2.'
+-				continue
+-			fi
+-			dump=$(cryptsetup luksDump "$back")
+-			if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then
+-				argon2_found+=" $back($devname)"
+-			fi
+-		done <<<"$devs"
+-	if test -n "$argon2_found" ; then
+-		echo >&2 -n "The following encrypted devices use Argon2 PBKDF:"
+-		echo >&2 "$argon2_found"
+-		echo >&2 'Aborting fips-mode-setup because of that.'
+-		echo >&2 -n 'Please refer to the '
+-		echo >&2 'cryptsetup-luksConvertKey(8) manpage.'
+-		exit 76
+-	fi
+-fi
+-
+ if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then
+ 	if test $enable_fips = 1 ; then
+ 		echo >&2 "*****************************************************************"
+@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING"
+ 		echo >&2 "*                                                               *"
+ 		echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *"
+ 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
+-		echo >&2 "* REINSTALL WITH fips=1 INSTEAD.                                *"
+ 		echo >&2 "*****************************************************************"
+ 	elif test $enable_fips = 0 ; then
+ 		echo >&2 "*****************************************************************"
+ 		echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT...                 *"
+ 		echo >&2 "*                                                               *"
+-		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED.  *"
++		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*"
+ 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
+-		echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD.          *"
+ 		echo >&2 "*****************************************************************"
+ 	fi
+ 	for i in {15..1}; do
+@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_
+ if test "$boot_config" = 1 ; then
+ 	pbl --add-option "$fipsopts"
+ 	pbl --config; pbl --install && dracut -f --regenerate-all
+-
+-	# grubby --update-kernel=ALL --args="$fipsopts"
+-	# if test x"$(uname -m)" = xs390x; then
+-	# 	if command -v zipl >/dev/null; then
+-	# 		zipl
+-	# 	else
+-	# 		echo -n '`zipl` execution has been skipped: '
+-	# 		echo '`zipl` not found.'
+-	# 	fi
+-	# fi
+-
+-	echo "Please reboot the system for the setting to take effect."
++	echo "Please reboot the system for the settings to take effect."
+ else
+ 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
+-	echo "and reboot the system for the setting to take effect."
++	echo "and reboot the system for the settings to take effect."
+ fi
+ 
+ exit 0
diff --git a/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
new file mode 100644
index 0000000..fd1821e
--- /dev/null
+++ b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
@@ -0,0 +1,78 @@
+diff -PpuriN a/policies/DEFAULT.pol b/policies/DEFAULT.pol
+--- a/policies/DEFAULT.pol	2025-04-09 14:18:34.954692496 +0200
++++ b/policies/DEFAULT.pol	2025-04-09 14:19:26.564391482 +0200
+@@ -90,4 +90,4 @@ hash@RPM = SHA1+
+ min_dsa_size@RPM = 1024
+ 
+ # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+-__openssl_block_sha1_signatures = 1
++__openssl_block_sha1_signatures = 0
+diff -PpuriN a/policies/LEGACY.pol b/policies/LEGACY.pol
+--- a/policies/LEGACY.pol	2025-04-09 14:18:34.955756041 +0200
++++ b/policies/LEGACY.pol	2025-04-09 14:22:03.873723462 +0200
+@@ -82,6 +82,8 @@ min_rsa_size = 1024
+ 
+ # GnuTLS only for now
+ sha1_in_certs = 1
++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
++__openssl_block_sha1_signatures = 0
+ 
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+diff -PpuriN a/policies/modules/SHA1.pmod b/policies/modules/SHA1.pmod
+--- a/policies/modules/SHA1.pmod	2025-04-09 14:18:34.957749606 +0200
++++ b/policies/modules/SHA1.pmod	2025-04-09 14:23:41.203919619 +0200
+@@ -6,4 +6,5 @@ sign = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA
+ 
+ sha1_in_certs = 1
+ 
++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+ __openssl_block_sha1_signatures = 0
+diff -PpuriN a/tests/alternative-policies/DEFAULT.pol b/tests/alternative-policies/DEFAULT.pol
+--- a/tests/alternative-policies/DEFAULT.pol	2025-04-09 14:18:34.963027557 +0200
++++ b/tests/alternative-policies/DEFAULT.pol	2025-04-09 14:24:34.158026329 +0200
+@@ -93,4 +93,4 @@ hash@rpm-sequoia = SHA1+
+ min_dsa_size@rpm-sequoia = 1024
+ 
+ # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
+-__openssl_block_sha1_signatures = 1
++__openssl_block_sha1_signatures = 0
+diff -PpuriN a/tests/alternative-policies/LEGACY.pol b/tests/alternative-policies/LEGACY.pol
+--- a/tests/alternative-policies/LEGACY.pol	2025-04-09 14:18:34.963615512 +0200
++++ b/tests/alternative-policies/LEGACY.pol	2025-04-09 14:25:11.675101933 +0200
+@@ -90,6 +90,8 @@ min_rsa_size = 1024
+ 
+ # GnuTLS only for now
+ sha1_in_certs = 1
++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
++__openssl_block_sha1_signatures = 0
+ 
+ # SHA1 is still prevalent in DNSSec
+ sha1_in_dnssec = 1
+diff -PpuriN a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+--- a/tests/outputs/DEFAULT:GOST-opensslcnf.txt	2025-04-09 14:18:34.968542814 +0200
++++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt	2025-04-09 16:23:01.596169638 +0200
+@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
+ alg_section = evp_properties
+ 
+ [evp_properties]
+-rh-allow-sha1-signatures = no
++rh-allow-sha1-signatures = yes
+diff -PpuriN a/tests/outputs/DEFAULT-opensslcnf.txt b/tests/outputs/DEFAULT-opensslcnf.txt
+--- a/tests/outputs/DEFAULT-opensslcnf.txt	2025-04-09 14:18:34.967607477 +0200
++++ b/tests/outputs/DEFAULT-opensslcnf.txt	2025-04-09 16:21:21.456007296 +0200
+@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
+ alg_section = evp_properties
+ 
+ [evp_properties]
+-rh-allow-sha1-signatures = no
++rh-allow-sha1-signatures = yes
+diff -PpuriN a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
+--- a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt	2025-04-09 14:18:34.969495452 +0200
++++ b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt	2025-04-09 16:21:54.571054558 +0200
+@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768
+ alg_section = evp_properties
+ 
+ [evp_properties]
+-rh-allow-sha1-signatures = no
++rh-allow-sha1-signatures = yes
diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch
index 7e09857..005a9a8 100644
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@@ -1,21 +1,21 @@
-Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
+Index: fedora-crypto-policies-20250124.4d262e7/Makefile
 ===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
-+++ fedora-crypto-policies-20230420.3d08ae7/Makefile
-@@ -28,9 +28,9 @@ install: $(MANPAGES)
- 	mkdir -p $(DESTDIR)$(MANDIR)/man7
- 	mkdir -p $(DESTDIR)$(MANDIR)/man8
+--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile
++++ fedora-crypto-policies-20250124.4d262e7/Makefile
+@@ -34,9 +34,9 @@ install: $(MANPAGES)
  	mkdir -p $(DESTDIR)$(BINDIR)
+ 	mkdir -p $(DESTDIR)$(LIBEXECDIR)
+ 	mkdir -p $(DESTDIR)$(UNITDIR)
 -	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 -	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 -	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
 +	# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 +	# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 +	# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ 	install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR)
+ 	install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR)
  	mkdir -p $(DESTDIR)$(DIR)/
- 	install -p -m 644 default-config $(DESTDIR)$(DIR)
- 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
-@@ -114,8 +114,8 @@ clean:
+@@ -133,8 +133,8 @@ clean:
  	rm -rf output
  
  %: %.txt
diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch
index e498d4a..a00acba 100644
--- a/crypto-policies-nss.patch
+++ b/crypto-policies-nss.patch
@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
 ===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
-+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
-@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
+--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py
++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
+@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator):
          try:
              with os.fdopen(fd, 'w') as f:
                  f.write(config)
@@ -29,7 +29,7 @@ Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
          finally:
              os.unlink(path)
  
-@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
+@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator):
              cls.eprint("There is a warning in NSS generated policy")
              cls.eprint(f'Policy:\n{config}')
              return False
@@ -37,6 +37,6 @@ Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
 +            cls.eprint('Skipping NSS policy check: '
 +                       '/usr/bin/nss-policy-check not found')
 +            return True
-         elif ret:
+         if ret:
              cls.eprint("There is an error in NSS generated policy")
              cls.eprint(f'Policy:\n{config}')
diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch
index 4fc811c..d2b0a9c 100644
--- a/crypto-policies-policygenerators.patch
+++ b/crypto-policies-policygenerators.patch
@@ -1,43 +1,40 @@
-Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
 ===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
-@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
+--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
+@@ -7,7 +7,7 @@ from .bind import BindGenerator
+ from .gnutls import GnuTLSGenerator
  from .java import JavaGenerator
- from .java import JavaSystemGenerator
  from .krb5 import KRB5Generator
 -from .libreswan import LibreswanGenerator
 +# from .libreswan import LibreswanGenerator
  from .libssh import LibsshGenerator
  from .nss import NSSGenerator
- from .openssh import OpenSSHClientGenerator
-@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
- from .openssl import OpenSSLConfigGenerator
- from .openssl import OpenSSLGenerator
- from .openssl import OpenSSLFIPSGenerator
--from .sequoia import SequoiaGenerator
--from .sequoia import RPMSequoiaGenerator
-+# from .sequoia import SequoiaGenerator
-+# from .sequoia import RPMSequoiaGenerator
+ from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
+@@ -16,14 +16,13 @@ from .openssl import (
+     OpenSSLFIPSGenerator,
+     OpenSSLGenerator,
+ )
+-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
  
  __all__ = [
      'BindGenerator',
-@@ -25,7 +25,6 @@ __all__ = [
+     'GnuTLSGenerator',
      'JavaGenerator',
-     'JavaSystemGenerator',
      'KRB5Generator',
 -    'LibreswanGenerator',
      'LibsshGenerator',
      'NSSGenerator',
      'OpenSSHClientGenerator',
-@@ -33,6 +32,8 @@ __all__ = [
+@@ -31,6 +30,8 @@ __all__ = [
      'OpenSSLConfigGenerator',
-     'OpenSSLGenerator',
      'OpenSSLFIPSGenerator',
--    'SequoiaGenerator',
+     'OpenSSLGenerator',
 -    'RPMSequoiaGenerator',
+-    'SequoiaGenerator',
  ]
 +
-+#   'LibreswanGenerator',
-+#   'SequoiaGenerator',
-+#   'RPMSequoiaGenerator',
++    # 'LibreswanGenerator',
++    # 'RPMSequoiaGenerator',
++    # 'SequoiaGenerator',
diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch
deleted file mode 100644
index 854fb09..0000000
--- a/crypto-policies-revert-rh-allow-sha1-signatures.patch
+++ /dev/null
@@ -1,327 +0,0 @@
-From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Fri, 8 Apr 2022 13:47:29 +0200
-Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
-
-
-Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol
-+++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
-@@ -66,7 +66,3 @@ sha1_in_certs = 0
- arbitrary_dh_groups = 1
- ssh_certs = 1
- ssh_etm = 1
--
--# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
--# SHA-1 signatures are blocked in OpenSSL in FUTURE only
--__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod
-+++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
-@@ -3,7 +3,3 @@
- hash = -SHA1
- sign = -*-SHA1
- sha1_in_certs = 0
--
--# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
--# SHA-1 signatures are blocked in OpenSSL in FUTURE only
--__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py
-+++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
-@@ -24,7 +24,6 @@ from . import validation  # moved out of
- INT_DEFAULTS = {k: 0 for k in (
-     'arbitrary_dh_groups',
-     'min_dh_size', 'min_dsa_size', 'min_rsa_size',
--    '__openssl_block_sha1_signatures',  # FUTURE/TEST-FEDORA39/NO-SHA1
-     'sha1_in_certs',
-     'ssh_certs', 'ssh_etm',
- )}
-Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py
-+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
-@@ -7,13 +7,6 @@ from subprocess import check_output, Cal
- 
- from .configgenerator import ConfigGenerator
- 
--RH_SHA1_SECTION = '''
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = {}
--'''
- 
- FIPS_MODULE_CONFIG = '''
- [fips_sect]
-@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
-         if policy.enums['__ems'] == 'RELAX':
-             s += 'Options = RHNoEnforceEMSinFIPS\n'
- 
--        # In the future it'll be just
--        # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
--        # but for now we slow down the roll-out and we have
--        sha1_sig = not policy.integers['__openssl_block_sha1_signatures']
--        s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no')
--
-         return s
- 
-     @classmethod
-Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol
-+++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
-@@ -73,7 +73,3 @@ sha1_in_dnssec = 0
- arbitrary_dh_groups = 1
- ssh_certs = 1
- ssh_etm = 1
--
--# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
--# SHA-1 signatures are blocked in OpenSSL in FUTURE only
--__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
-@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
- Ciphersuites = 
- SignatureAlgorithms = 
- Groups = 
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = secp256r1:secp521r1:secp384r1
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = no
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
-@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
- TLS.MaxProtocol = TLSv1.3
- SignatureAlgorithms = 
- Groups = 
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py
-+++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
-@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
-         min_dh_size = 0
-         min_dsa_size = 0
-         min_rsa_size = 0
--        __openssl_block_sha1_signatures = 0
-         sha1_in_certs = 0
-         ssh_certs = 0
-         ssh_etm = 0
-@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted(
-         min_dh_size = 0
-         min_dsa_size = 0
-         min_rsa_size = 0
--        __openssl_block_sha1_signatures = 0
-         sha1_in_certs = 0
-         ssh_certs = 0
-         ssh_etm = 0
-Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol
-+++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
-@@ -68,7 +68,3 @@ sha1_in_certs = 0
- arbitrary_dh_groups = 1
- ssh_certs = 1
- ssh_etm = 1
--
--# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
--# SHA-1 signatures will blocked in OpenSSL
--__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = no
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
-===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
-+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
-@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
- Options = RHNoEnforceEMSinFIPS
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch
index 1ce9e4c..bf29719 100644
--- a/crypto-policies-supported.patch
+++ b/crypto-policies-supported.patch
@@ -13,25 +13,25 @@ Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
 +* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
  
 -* NSS library (NSS, SSL, TLS)
-+* NSS library (NSS, SSL, TLS) (Not supported)
++* NSS library (NSS, SSL, TLS) (Supported)
  
 -* OpenJDK (java-tls, SSL, TLS)
 +* OpenJDK (java-tls, SSL, TLS) (Supported)
  
 -* Libkrb5 (krb5, kerberos)
-+* Libkrb5 (krb5, kerberos) (Not supported)
++* Libkrb5 (krb5, kerberos) (Supported)
  
 -* BIND (BIND, DNSSec)
-+* BIND (BIND, DNSSec) (Not supported)
++* BIND (BIND, DNSSec) (Supported)
  
 -* OpenSSH (OpenSSH, SSH)
-+* OpenSSH (OpenSSH, SSH) (Not supported)
++* OpenSSH (OpenSSH, SSH) (Supported)
  
 -* Libreswan (libreswan, IKE, IPSec)
-+* Libreswan (libreswan, IKE, IPSec) (Not supported)
++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE)
  
 -* libssh (libssh, SSH)
-+* libssh (libssh, SSH) (Not supported)
++* libssh (libssh, SSH) (Supported)
  
  Applications and languages which rely on any of these back-ends will follow
  the system policies as well. Examples are apache httpd, nginx, php, and
diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz
index 08f79e3..1f0f2a3 100644
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e827416a5fcfaad62e92def75aba69413f66c0e8b15d87db492629152838f097
-size 7322
+oid sha256:8a455bfe2ea82738a0237e3ab8c11256f78219436a1dbcc9c3ff0cb7f6a2019b
+size 7675
diff --git a/crypto-policies.changes b/crypto-policies.changes
index 62fe064..1792654 100644
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@@ -1,3 +1,174 @@
+-------------------------------------------------------------------
+Mon Jun 30 08:01:55 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Allow openssl to load when using the DEFAULT policy, and also
+  other policies, in FIPS mode. [bsc#1243830, bsc#1242233]
+  * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
+
+-------------------------------------------------------------------
+Wed Apr  9 12:32:47 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+
+-------------------------------------------------------------------
+Thu Mar 27 10:37:18 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Relax the nss version requirement since the mlkem768secp256r1
+  enablement has been reverted.
+
+-------------------------------------------------------------------
+Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
+  * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
+
+-------------------------------------------------------------------
+Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Enable SHA1 sigver in the DEFAULT policy.
+  * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+
+-------------------------------------------------------------------
+Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637]
+  * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove dangling symlink for the libreswan config [bsc#1236858]
+- Remove also sequoia config and generator files
+- Remove not needed fips bind mount service
+
+-------------------------------------------------------------------
+Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165]
+  * openssl: stricter enabling of Ciphersuites
+  * openssl: make use of -CBC and -AESGCM keywords
+  * openssl: add TLS 1.3 Brainpool identifiers
+  * fix warning on using experimental key_exchanges
+  * update-crypto-policies: don't output FIPS warning in fips mode
+  * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
+  * openssh, libssh: refactor kx maps to use tuples
+  * alg_lists: mark MLKEM768/SNTRUP kex experimental
+  * nss: revert enabling mlkem768secp256r1
+  * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber
+  * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
+  * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
+  * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768
+  * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
+  * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384...
+  * python/update-crypto-policies: pacify pylint
+  * fips-mode-setup: tolerate fips dracut module presence w/o FIPS
+  * fips-mode-setup: small Argon2 detection fix
+  * SHA1: add __openssl_block_sha1_signatures = 0
+  * fips-mode-setup: block if LUKS devices using Argon2 are detected
+  * update-crypto-policies: skip warning on --set=FIPS if bootc
+  * fips-setup-helper: skip warning, BTW
+  * fips-mode-setup: force --no-bootcfg when UKI is detected
+  * fips-setup-helper: add a libexec helper for anaconda
+  * fips-crypto-policy-overlay: automount FIPS policy
+  * openssh: make dss no longer enableble, support is dropped
+  * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768
+  * DEFAULT: switch to rh-allow-sha1-signatures = no...
+  * java: drop unused javasystem backend
+  * java: stop specifying jdk.tls.namedGroups in javasystem
+  * ec_min_size: introduce and use in java, default to 256
+  * java: use and include jdk.disabled.namedCurves
+  * BSI: Update BSI policy for new 2024 minimum recommendations
+  * fips-mode-setup: flashy ticking warning upon use
+  * fips-mode-setup: add another scary "unsupported"
+  * CONTRIBUTING.md: add a small section on updating policies
+  * CONTRIBUTING.md: remove trailing punctuation from headers
+  * BSI: switch to 3072 minimum RSA key size
+  * java: make hash, mac and sign more orthogonal
+  * java: specify jdk.tls.namedGroups system property
+  * java: respect more key size restrictions
+  * java: disable anon ciphersuites, tying them to NULL...
+  * java: start controlling / disable DTLSv1.0
+  * nss: wire KYBER768 to XYBER768D00
+  * nss: unconditionally load p11-kit-proxy.so
+  * gnutls: make DTLS0.9 controllable again
+  * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH
+  * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE
+  * gnutls: remove extraneous newline
+  * sequoia: move away from subprocess.getstatusoutput
+  * python/cryptopolicies/cryptopolicies.py: add trailing commas
+  * python, tests: rename MalformedLine to MalformedLineError
+  * Makefile: introduce SKIP_LINTING flag for packagers to use
+  * Makefile: run ruff
+  * tests: use pathlib
+  * tests: run(check=True) + CalledProcessError where convenient
+  * tests: use subprocess.run
+  * tests/krb5.py: check all generated policies
+  * tests: print to stderr on error paths
+  * tests/nss.py: also use encoding='utf-8'
+  * tests/nss.py: also use removesuffix
+  * tests/nss.py: skip creating tempfiles
+  * tests/java.pl -> tests/java.py
+  * tests/gnutls.pl -> tests/gnutls.py
+  * tests/openssl.pl -> tests/openssl.py
+  * tests/verify-output.pl: remove
+  * libreswan: do not use up pfs= / ikev2= keywords for default behaviour
+  * Rebase patches:
+    - crypto-policies-no-build-manpages.patch
+    - crypto-policies-policygenerators.patch
+    - crypto-policies-supported.patch
+    - crypto-policies-nss.patch
+
+-------------------------------------------------------------------
+Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20241010.5930b9a:
+  * LEGACY: enable 192-bit ciphers for nss pkcs12/smime
+  * nss: be stricter with new purposes
+  * nss: rewrite backend for 3.101
+  * cryptopolicies: parent scopes for dumping purposes
+  * policygenerators: move scoping inside generators
+  * TEST-PQ: disable pure Kyber768
+  * nss: wire XYBER768D00 to X25519-KYBER768
+  * TEST-PQ: update
+  * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com
+  * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values
+  * TEST-PQ, python: add more groups, mark experimental
+  * openssl: mark liboqsprovider groups optional with ?
+  * Remove patches:
+    - crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20240201.9f501f3:
+  * .gitlab-ci.yml: install sequoia-policy-config
+  * java: disable ChaCha20-Poly1305 where applicable
+  * fips-mode-setup: make sure ostree is detected in chroot
+  * fips-finish-install: make sure ostree is detected in chroot
+  * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl
+  * TEST-PQ: add a no-op subpolicy
+  * update-crypto-policies: Keep mid-sentence upper case
+  * fips-mode-setup: Write error messages to stderr
+  * fips-mode-setup: Fix some shellcheck warnings
+  * fips-mode-setup: Fix test for empty /boot
+  * fips-mode-setup: Avoid 'boot=UUID=' if /boot == /
+  * Update man pages
+  * Rebase patches:
+    - crypto-policies-FIPS.patch
+    - crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20231108.adb5572b:
+  * Print matches in syntax deprecation warnings
+  * Restore support for scoped ssh_etm directives
+  * fips-mode-setup: Fix usage with --no-bootcfg
+  * turn ssh_etm into an etm@SSH tri-state
+  * fips-mode-setup: increase chroot-friendliness
+  * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
+  * pylintrc: use-implicit-booleaness-not-comparison-to-*
+
 -------------------------------------------------------------------
 Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller <dmueller@suse.com>
 
diff --git a/crypto-policies.spec b/crypto-policies.spec
index 03ebdf9..5a372f8 100644
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package crypto-policies
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,8 +21,9 @@
 # manbuild is disabled by default
 %bcond_with manbuild
 %global _python_bytecompile_extra 0
+
 Name:           crypto-policies
-Version:        20230920.570ea89
+Version:        20250124.4d262e7
 Release:        0
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
@@ -47,41 +48,36 @@ Patch1:         crypto-policies-no-build-manpages.patch
 Patch2:         crypto-policies-policygenerators.patch
 #PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
 Patch3:         crypto-policies-supported.patch
-#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures
-Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
 #PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
 Patch5:         crypto-policies-pylint.patch
 #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578]
 Patch6:         crypto-policies-FIPS.patch
 #PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301]
 Patch7:         crypto-policies-nss.patch
-BuildRequires:  python3-base >= 3.6
-# The sequoia stuff needs python3-toml, removed until needed
-# BuildRequires:  python3-toml
+#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT
+Patch8:         crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
+Patch9:         crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
+#PATCH-FIX-OPENSUSE Allow openssl to load when using any policy in FIPS mode [bsc#1243830, bsc#1242233]
+Patch10:        crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
+BuildRequires:  python3-base >= 3.11
 %if %{with manbuild}
 BuildRequires:  asciidoc
 %endif
 %if %{with testsuite}
 # The following packages are needed for the testsuite
 BuildRequires:  bind
-BuildRequires:  codespell
-BuildRequires:  gnutls >= 3.6.0
+BuildRequires:  crypto-policies-scripts
+BuildRequires:  gnutls
 BuildRequires:  java-devel
-BuildRequires:  krb5-devel
 BuildRequires:  libxslt
 BuildRequires:  mozilla-nss-tools
+BuildRequires:  openssh-clients
 BuildRequires:  openssl
-BuildRequires:  perl
 BuildRequires:  python-rpm-macros
-BuildRequires:  python3-coverage
-BuildRequires:  python3-devel >= 3.6
-BuildRequires:  python3-flake8
-BuildRequires:  python3-pylint
+BuildRequires:  python3-devel >= 3.11
 BuildRequires:  python3-pytest
-BuildRequires:  perl(File::Copy)
-BuildRequires:  perl(File::Temp)
-BuildRequires:  perl(File::Which)
-BuildRequires:  perl(File::pushd)
+BuildRequires:  systemd-rpm-macros
 %else
 # Avoid cycle with python-rpm-macros
 #!BuildIgnore: python-rpm-packaging python-rpm-macros
@@ -89,10 +85,10 @@ BuildRequires:  perl(File::pushd)
 %if 0%{?primary_python:1}
 Recommends:     crypto-policies-scripts
 %endif
-Conflicts:      gnutls < 3.7.3
-#Conflicts:      libreswan < 3.28
-Conflicts:      nss < 3.90.0
-#Conflicts:      openssh < 8.2p1
+Conflicts:      gnutls < 3.8.8
+Conflicts:      nss < 3.101
+Conflicts:      openssh < 9.9p1
+Conflicts:      openssl < 3.0.2
 #!BuildIgnore:  crypto-policies
 BuildArch:      noarch
 
@@ -105,6 +101,7 @@ such as SSL/TLS libraries.
 Summary:        Tool to switch between crypto policies
 Requires:       %{name} = %{version}-%{release}
 Recommends:     perl-Bootloader
+Provides:       fips-mode-setup = %{version}-%{release}
 
 %description scripts
 This package provides a tool update-crypto-policies, which applies
@@ -121,15 +118,8 @@ to enable or disable the system FIPS mode.
 # Make README.SUSE available for %%doc
 cp -p %{SOURCE1} .
 
-# Remove not needed policy generators
-find -name libreswan.py -delete
-find -name sequoia.py -delete
-
 %build
 export OPENSSL_CONF=''
-sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
-    python/policygenerators/openssh.py
-grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
 %make_build
 
 %install
@@ -162,12 +152,19 @@ install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
 install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
 install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
 
-# Drop pre-generated GOST-ONLY policy, we do not need to ship them
+# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
-
-# Drop FEDORA policies
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
 
+# Drop libreswan and sequoia config files
+find  %{buildroot} -type f -name 'libreswan.*' -print -delete
+find  %{buildroot} -type f -name 'sequoia.*' -print -delete
+
+# Drop not needed fips bind mount service
+find %{buildroot} -type f -name 'default-fips-config' -print -delete
+find %{buildroot} -type f -name 'fips-setup-helper' -print -delete
+find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete
+
 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
     mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -229,12 +226,24 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
     end
 end
 
+cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config"
+st = posix.stat(cfg_path_libreswan)
+if st and st.type == "link" then
+   posix.unlink(cfg_path_libreswan)
+end
+
+cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config"
+st = posix.stat(cfg_path_javasystem)
+if st and st.type == "link" then
+   posix.unlink(cfg_path_javasystem)
+end
+
 %posttrans scripts
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
 
 %files
 %license COPYING.LESSER
-%doc README.md NEWS CONTRIBUTING.md
+%doc README.md CONTRIBUTING.md
 %doc %{_sysconfdir}/crypto-policies/README.SUSE
 
 %dir %{_sysconfdir}/crypto-policies/
@@ -256,12 +265,8 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
 # %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.
 
 %ghost %{_sysconfdir}/crypto-policies/state/current
diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz
deleted file mode 100644
index 033597b..0000000
--- a/fedora-crypto-policies-20230920.570ea89.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5
-size 90127
diff --git a/fedora-crypto-policies-20250124.4d262e7.tar.gz b/fedora-crypto-policies-20250124.4d262e7.tar.gz
new file mode 100644
index 0000000..e427784
--- /dev/null
+++ b/fedora-crypto-policies-20250124.4d262e7.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:33d72a26ed1543702fc5c8aca8cea0b71667fa2fb9040ed9850480fe3235dfbf
+size 102444
diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz
index 64ae646..a882f5e 100644
--- a/fips-finish-install.8.gz
+++ b/fips-finish-install.8.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:af99d2b749bd8276adcf4579a71411b7c028031e0c68d13702b7ef19bced7e89
-size 950
+oid sha256:93e6dcce6491836df86af048bd0e800868e818359ad4749f7441817e5f11891e
+size 949
diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz
index e30c8cf..219903c 100644
--- a/fips-mode-setup.8.gz
+++ b/fips-mode-setup.8.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:67c8f9d38bcfdf2ecc265245d88138c46444bee5883a14fb2c7d520af6c0078e
-size 1783
+oid sha256:a9d4ded30f73bf76626f79f507c164a82fac54bed8daa6e9e40d3af46f276a67
+size 1782
diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz
index 0d49668..adbc707 100644
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:aeca399e889653394e5016ad57333c55a9a2cb0ed4ae2e7538700ffea5b7089b
-size 4154
+oid sha256:492615feef5d98e42ca928ddc05114ef7a93df1752afbf5a0db8cf0625071b59
+size 4149