[Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

EOLE team eole-team at ac-dijon.fr
Fri Apr 5 08:22:37 UTC 2019 

The libssl1.1 version 1.1.1-1ubuntu2.1~18.04.1 breaks salt package
version 2017.7.4+dfsg1-1:

root at server:~# salt-key -L
Error: unknown error (_ssl.c:2788)

root at server:~# salt --versions-report
Traceback (most recent call last):
  File "/usr/bin/salt", line 10, in <module>
    salt_main()
  File "/usr/lib/python3/dist-packages/salt/scripts.py", line 476, in salt_main
    client.run()
  File "/usr/lib/python3/dist-packages/salt/cli/salt.py", line 33, in run
    import salt.client
  File "/usr/lib/python3/dist-packages/salt/client/__init__.py", line 31, in <module>
    import salt.cache
  File "/usr/lib/python3/dist-packages/salt/cache/__init__.py", line 18, in <module>
    import salt.loader
  File "/usr/lib/python3/dist-packages/salt/loader.py", line 26, in <module>
    import salt.utils.event
  File "/usr/lib/python3/dist-packages/salt/utils/event.py", line 70, in <module>
    import tornado.iostream
  File "/usr/lib/python3/dist-packages/tornado/iostream.py", line 40, in <module>
    from tornado.netutil import ssl_wrap_socket, ssl_match_hostname, SSLCertificateError, _client_ssl_defaults, _server_ssl_defaults
  File "/usr/lib/python3/dist-packages/tornado/netutil.py", line 57, in <module>
    ssl.Purpose.SERVER_AUTH)
  File "/usr/lib/python3.6/ssl.py", line 502, in create_default_context
    context = SSLContext(PROTOCOL_TLS)
  File "/usr/lib/python3.6/ssl.py", line 391, in __new__
    self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: unknown error (_ssl.c:2788)

Seems to be python3.6 which is impacted.

Regards.

** Also affects: salt (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in salt package in Ubuntu:
  New
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Fix Committed
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New
Status in salt source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Test cases for the python updates]

  python3.7 is a preview in bionic as a non-supported/non-default
  version of python3. Passing it's own autopkgtests is sufficient
  validation for python3.7. It includes a point release update, with
  OpenSSL 1.1.1 compat and features.

  python3.6 not only has OpenSSL 1.1.1 compat and features patches, but
  also includes a point release update to 3.6.8. It has been part of the
  full-archive rebuild and regression analysis. Autopkgtests were
  triggered for python3.6 and python3-defaults with regressions already
  fixed in the individual packages as appropriate.

  python2.7 has the update from .15~rc1 to .15 final, with OpenSSL 1.1.1
  compat only. It has been part of the full-archive rebuild and
  regression analysis. Autopkgtests were triggered for python2.7 and
  python-defaults with regressions already fixed in the individual
  packages as appropriate.

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. Solution is client change to set hostname, or to clamp down the client to TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

  [Autopkgtest Regressions]

  dovecot/armhf - flakey

  libnet-ssleay-perl - awaiting sru accept into proposed of
  libnet-ssleay-perl and libio-socket-ssl-perl due to fixes and
  versioned breaks.

  linux* - rebuild testcases passes (for some edge flavours the build
  fails in non-ssl portions of the build), ubuntu-regression-suite
  testcase fails for a few variants but should have been skipped (in
  progress to be fixed in
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1823056)

  openvswitch/i386 - extremely flakey, errors out or fails mostly

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions

More information about the foundations-bugs mailing list