[Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

Tue Mar 12 16:05:45 UTC 2019

On Mon, 11 Mar 2019 at 21:20, Steve Langasek
<steve.langasek at canonical.com> wrote:
>
> Acceptance of openssl currently blocked on coverage of the (distro
> patch) OPENSSL_TLS_SECURITY_LEVEL change as part of the SRU template.
>

In Debian (but never ubuntu) they have bumped the default security
level from 1, to 2.

In Ubuntu, we have further decreased security level from 1 to 0, for
connectivity compatibility with openssl 1.0.2. This change was done in
cosmic, and is part of this SRU backport.

The reason for the decreased security level is to aid with
connectivity compatibily with older Ubuntu LTS releases based on
openssl 1.0.2. Such that bionic clients can connect to older servers,
even if the server uses small keys / md5 / etc.

I do not believe it is possible to set higher default security level
"for servers only". Thus we rely on server/daemon apps to have
stronger configuration, large keys, better certs, etc.

There are 1.1.0/1.1.1 APIs available to dynamically set higher
security levels, which highly active servers are using to increase
security levels in servers/daemons.

These changes are documented in the cosmic+ changelog with the
following entries:
- Revert "Enable system default config to enforce TLS1.2 as a
  minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
  openssl 1.0.2.

Migration path to stonger defaults is to be done in 2020. This is
inline with major web-browsers too. All of them still support weaker
defaults. And all of them however have committed to drop support for
those in 2020. My expectation is to follow suit, and set default
security level to 2, and require TLS1.2 shortly after 19.10 release.

For the webbrowsers announcements please see these references:
https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/
https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
https://security.googleblog.com/2018/10/modernizing-transport-security.html
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

-- 
Regards,

Dimitri.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Incomplete
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. Solution is client change to set hostname, or to clamp down the client to TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions