[Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

Wed Apr 3 23:16:23 UTC 2019

Hello Dimitri, or anyone else affected,

Accepted openssl into bionic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: openssl (Ubuntu Bionic)
       Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Fix Committed
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. Solution is client change to set hostname, or to clamp down the client to TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

   * Following the change in Cosmic and up, this SRU also includes a
  distro patch that lowers OPENSSL_TLS_SECURITY_LEVEL from 1 to 0, to
  allow for establishing client->server server->client connections with
  lower grade security settings (e.g. sub-80bits keys, MD5/SHA1
  certificate checksums, and other crap like that). This is to continue
  allow bionic clients to connect to servers operating with older 1.0.x
  based openssl, as typically clients are at no mercy to reject servers
  that do not have any better certs/keys/signatures. Thus potentially
  weak-security connections that previously would fail to establish
  to/from bionic, may now be accepted. Some may view this as a
  regression. In that case adjust openssl.cnf to a higher
  TLS_SECURITY_LEVEL, or use the openssl ctx APIs to set a higher TLS
  security level. See further comments in this bug report as to when we
  will be raising this LEVEL up (currently timeline is to raise to 2, in
  20.04 LTS).

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions