Heads up: OpenSSL3 transition
Sergio Durigan Junior
sergiodj at ubuntu.com
Fri Nov 19 17:54:22 UTC 2021
On Wednesday, November 17 2021, Simon Chopin wrote:
> Hi all,
Hey Simon,
Thanks for your work on this, BTW. Much appreciated :-).
> You might have noticed that the OpenSSL 3 transition was supposed to get
> started a couple of weeks ago. As usual with these things, it slipped
> away as there were some issues with packages in main that needed to be
> resolved first. Now that it's mostly sorted out, I'm planning on (asking
> nicely someone to) upload the new version of OpenSSL later this week or
> early next week, unless someone raises an objection?
I'd like to raise something. I apologize for sending this message in
such short notice.
I am working on net-snmp, squid and a few other packages during this
transition, and I am feeling concerned with how uncomfortable some of
our upstreams seem to be regarding their patches to support OpenSSL 3.
I can mention a few cases here.
net-snmp has a patch to support OpenSSL 3 in theory, but they are still
discussing a few details here:
https://github.com/net-snmp/net-snmp/issues/294 . It seems like they
have sorted out most of the issues so far, which is good, but I'm still
not 100% confident in backporting their patch yet.
squid has an open pull request with a bunch of changes needed to support
OpenSSL 3. The patches backport and build OK on Jammy, but upstream is
still looking for more reviewers/testers before they merge the PR. I
decided to run some tests here and give them some feedback, and one of
the things I wanted to do was to run autopkgtest with their patches
applied. That led me to the discovery that apache2's mod-ssl doesn't
work with OpenSSL 3 either, so I filed a bug for it.
apache2 also has an open PR to implement OpenSSL 3 support for the 2.4.x
series. They've apparently found a regression on OpenSSL while testing
things in Fedora (https://github.com/openssl/openssl/issues/15946), and
I found the following thread which is an interesting read:
https://www.mail-archive.com/dev@httpd.apache.org/msg75615.html
While it should be possible to backport the upstream patches and make
things build, I'm not entirely sure if this is the right way forward
here. I don't want to suggest that we postpone anything, but I thought
it would be good to raise these issues here.
Thanks,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
More information about the Ubuntu-release
mailing list