[Bug 2003903] [NEW] [BPO] openssl/3.0.5-2ubuntu2 from kinetic

[Mark Pruett]

Public bug reported:

Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to
jammy.

[Impact]

>From the OpenSSL 3.0 migration guide:
(https://www.openssl.org/docs/man3.0/man7/migration_guide.html)

"Secure renegotiation is now required by default for TLS connections

Support for RFC 5746 secure renegotiation is now required by default for
SSL or TLS connections to succeed. Applications that require the ability
to connect to legacy peers will need to explicitly set
SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT
is no longer set as part of SSL_OP_ALL."

------------

OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in
the openssl.cnf file. The OpenSSL team documented this option but forgot
to implement it (https://github.com/openssl/openssl/pull/18296).

Users are recommending enabling UnsafeLegacyRenegotiation (see
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32)
(see more examples in "Other Info")

When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which
is what the previous LTS, Focal, uses).

Backporting the newer OpenSSL 3.0.5 would allow users to enable
UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled.

[Scope]

Backport OpenSSL 3.0.5-2ubuntu2 from kinetic

Backport to jammy

[Other Info]
Other places where users are recommending enabling UnsafeLegacyRenegotiation:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6
https://ubuntuforums.org/showthread.php?t=2474436&p=14094091#post14094091
https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2003903

Title:
  [BPO] openssl/3.0.5-2ubuntu2 from kinetic

Status in openssl package in Ubuntu:
  New

Bug description:
  Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to
  jammy.

  [Impact]

  From the OpenSSL 3.0 migration guide:
  (https://www.openssl.org/docs/man3.0/man7/migration_guide.html)

  "Secure renegotiation is now required by default for TLS connections

  Support for RFC 5746 secure renegotiation is now required by default
  for SSL or TLS connections to succeed. Applications that require the
  ability to connect to legacy peers will need to explicitly set
  SSL_OP_LEGACY_SERVER_CONNECT. Accordingly,
  SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL."

  ------------

  OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in
  the openssl.cnf file. The OpenSSL team documented this option but
  forgot to implement it
  (https://github.com/openssl/openssl/pull/18296).

  Users are recommending enabling UnsafeLegacyRenegotiation (see
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32)
  (see more examples in "Other Info")

  When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which
  is what the previous LTS, Focal, uses).

  Backporting the newer OpenSSL 3.0.5 would allow users to enable
  UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled.

  [Scope]

  Backport OpenSSL 3.0.5-2ubuntu2 from kinetic

  Backport to jammy

  [Other Info]
  Other places where users are recommending enabling UnsafeLegacyRenegotiation:
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6
  https://ubuntuforums.org/showthread.php?t=2474436&p=14094091#post14094091
  https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions