[Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS
Steve Langasek
steve.langasek at canonical.com
Sat Mar 9 20:31:38 UTC 2019
Hello Dimitri, or anyone else affected,
Accepted r-cran-openssl into bionic-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/r-cran-
openssl/1.0.1-1ubuntu1.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: r-cran-openssl (Ubuntu Bionic)
Status: New => Fix Committed
** No longer affects: r-cran-openssl (Ubuntu)
** No longer affects: libio-socket-ssl-perl (Ubuntu)
** Tags added: verification-needed verification-needed-bionic
** No longer affects: libnet-ssleay-perl (Ubuntu)
** No longer affects: nova (Ubuntu)
** No longer affects: python2.7 (Ubuntu)
** No longer affects: python-cryptography (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1797386
Title:
[SRU] OpenSSL 1.1.1 to 18.04 LTS
Status in openssl package in Ubuntu:
In Progress
Status in python3.6 package in Ubuntu:
New
Status in python3.7 package in Ubuntu:
New
Status in ruby-openssl package in Ubuntu:
New
Status in ruby2.5 package in Ubuntu:
New
Status in libio-socket-ssl-perl source package in Bionic:
New
Status in libnet-ssleay-perl source package in Bionic:
New
Status in nova source package in Bionic:
New
Status in openssl source package in Bionic:
New
Status in python-cryptography source package in Bionic:
New
Status in python2.7 source package in Bionic:
New
Status in python3.6 source package in Bionic:
New
Status in python3.7 source package in Bionic:
New
Status in r-cran-openssl source package in Bionic:
Fix Committed
Status in ruby-openssl source package in Bionic:
New
Status in ruby2.5 source package in Bionic:
New
Bug description:
[Impact]
* OpenSSL 1.1.1 is an LTS release upstream, which will continue to
receive security support for much longer than 1.1.0 series will.
* OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
be rapidly adopted due to increased set of supported hashes & algoes,
as well as improved handshake [re-]negotiation.
* OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.
* OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
software is sensitive to the negotiation handshake and may either need
patches/improvements or clamp-down to maximum v1.2.
[Test Case]
* Rebuild all reverse dependencies
* Execute autopkg tests for all of them
* Clamp down to TLS v1.2 software that does not support TLS v1.3
(e.g. mongodb)
* Backport TLS v1.3 support patches, where applicable
[Regression Potential]
* Connectivity interop is the biggest issues which will be
unavoidable with introducing TLS v1.3. However, tests on cosmic
demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
negotiate TLS v1.3 without issues.
* Mitigation of discovered connectivity issues will be possible by
clamping down to TLS v1.2 in either server-side or client-side
software or by backporting relevant support fixes
* Notable changes are listed here
https://wiki.openssl.org/index.php/TLS1.3
* Most common connectivity issues so far:
- client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. Solution is client change to set hostname, or to clamp down the client to TLSv1.2.
- session negotiation is different in TLSv1.3, existing client code
may fail to create/negotiate/resume session. Clients need to learn how
to use session callback.
* This update bundles python 3.6 and 3.7 point releases
[Other Info]
* Previous FFe for OpenSSL in 18.10 is at
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092
* TLS v1.3 support in NSS is expected to make it to 18.04 via
security updates
* TLS v1.3 support in GnuTLS is expected to be available in 19.04
* Test OpenSSL is being prepared in
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list