[Bug 1972056] Re: [openssl3] please sync openssl.cnf to ease changing security level

Launchpad Bug Tracker 1972056 at bugs.launchpad.net
Mon Jun 20 14:32:33 UTC 2022 

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.4

---------------
openssl (3.0.2-0ubuntu1.4) jammy; urgency=medium

  * d/p/lp1978093/*: renew some expiring test certificates (LP:
#1978093)

openssl (3.0.2-0ubuntu1.3) jammy; urgency=medium

  * d/p/lp1974037/*: cherry-pick another patchset to fix regressions with the
    previous lp1974037 one (LP: #1974037)
  * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on
    Ubuntu to make it easier for user to change security level (LP: #1972056)
  * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
    trigger the underlying bug (LP: #1947588)

 -- Simon Chopin <schopin at ubuntu.com>  Thu, 09 Jun 2022 13:20:55 +0200

** Changed in: openssl (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1972056

Title:
  [openssl3] please sync openssl.cnf to ease changing security level

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Jammy:
  Fix Released
Status in openssl source package in Kinetic:
  Fix Released
Status in openssl package in Debian:
  Fix Released

Bug description:
  [Impact]

  The OpenSSL 3.0 lead to a lot of broken setups. Some of them are
  regressions, but others are simply broken due to the use of outdated
  algorithms, such as SHA-1 signature on certificates. Changing the
  security level is a common action to identify and work around such
  cases, and as such the user should be able to change it easily  in the
  default config file.

  The fix is to partially revert our delta that ignored a Debian patch:
  instead of ignoring the patch entirely, we modify it to only affect
  the default configuration file, and in a way that matches our
  patchset. Using this approach will allow us to pick up on Debian's
  changes more easily during subsequent merges.

  [Test Plan]

  To easily check that the setting is taken into account, one can use
  'openssl ciphers -s'

  $ openssl ciphers -v -s | wc -l # Uses the default value
  30
  $ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=2' | wc -l
  30
  $ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=3' | wc -l
  24
  $ vim /etc/ssl/openssl.cf # edit the config file to bump the seclevel to 3
  $ openssl ciphers -v -s | wc -l # Uses the new value from the config file
  24

  [Where problems could occur]

  The changes could break the overall configuration of OpenSSL!

  [Origin report]
  openssl.cnf as provided misses some directive, which make it a bit difficult to change security level, which since openssl 3 disables SHA1 signatures.

  See also this Debian bug https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=1010360 and the committed fix:
  https://salsa.debian.org/debian/openssl/-/commit/b507914c40270e32cde6afcc8af93707c225e7f4

  Can you please sync this change in Ubuntu openssl?

  This way one should just add a single directive to change the security
  level.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1972056/+subscriptions

More information about the foundations-bugs mailing list