[FFe] openssl 1.1.1

Bug #1793092 reported by Dimitri John Ledkov
28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned
python2.7 (Ubuntu)
Fix Released
Undecided
Unassigned
python3.6 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Merge openssl 1.1.1 from debian unstable.

OpenSSL 1.1.1 is now out, with TLS1.3 support, and is the new upstream LTS release.

Resulting in the following changes in Ubuntu:

- openssl moves from 1.1.0 series to 1.1.1 LTS series

- TLS1.3 is enabled, and used by default, when possible. Major feature.

- All existing delta, and minimally accepted key sizes, and minimally accepted protocol versions remain the same.

Proposed package is in https://launchpad.net/~xnox/+archive/ubuntu/openssl with a rebuild of all the reverse dependencies. It demonstrates that openssl compiled as above is more compatible and has less issues than debian config. There are a few FTBFS, which are also present in cosmic-release; there are some test-suite expectations mismatch (connectivity succeeds with tls1.3 even though lower/different algos are expected); there are very little connectivity tests thus connectivity interop are the biggest issues which will be unavoidable with introducing 1.3.

===

Ubuntu delta summary versus debian unstable in this merge:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
  + Display a system restart required notification on libssl1.1
    upgrade on servers.
  + Use a different priority for libssl1.1/restart-services depending
    on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
  minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
  openssl 1.0.2.

These mitigate most of the runtime incompatibilities, and ensure client<->server compatibility between 1.1.1, 1.1.0, and 1.0.2 series and thus one can continue to mix & match xenial/bionic/cosmic releases.

tags: added: needs-debian-merge upgrade-software-version
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Big ACK from the security team. We would like to see this backported into bionic at some point and having it in cosmic first would allow us to identify and fix any issues.

description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Please express the FFe in terms of what will change relative to the current Ubuntu package, not relative to the Debian package.

Changed in openssl (Ubuntu):
status: New → Incomplete
description: updated
Changed in openssl (Ubuntu):
status: Incomplete → New
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@steve updated. Ping?

Revision history for this message
Steve Langasek (vorlon) wrote :

+1 on this FFe based on the analysis provided. I do not consider interoperability issues a reason not to turn on TLS1.3 in FFe; it will eventually be turned on and expose those issues, and whether it happens post-FF or before FF in 18.10, or post 18.10 release, is immaterial.

Changed in openssl (Ubuntu):
status: New → Confirmed
tags: added: block-proposed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Pythons appear to hardcode the expectations relative the openssl they were built with, despite not gaining >= 1.1.1 shlibsdep, somehow it ends up with >= 1.1.0 only.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

ruby2.5 ruby-openssl python3.7 correctly gain stronger dep on libssl1.1 >= 1.1.1.

python2.7 and python3.6 still need more patches to pick up https://bugs.python.org/issue34670

no longer affects: ruby2.5 (Ubuntu)
no longer affects: python3.7 (Ubuntu)
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Basing on the comment from Steve this is approved so switching status to Triaged.

Changed in openssl (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Switching the other tasks to Triaged as well since those changes are required for the base 1.1.1 feature to be completed.

Changed in python2.7 (Ubuntu):
status: New → Triaged
Changed in python3.6 (Ubuntu):
status: New → Triaged
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Should hopefully land today... here be dragons

tags: removed: block-proposed needs-debian-merge
tags: added: block-proposed
tags: removed: block-proposed
Changed in openssl (Ubuntu):
status: Triaged → Fix Committed
Changed in python2.7 (Ubuntu):
status: Triaged → Fix Committed
Changed in python3.6 (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Changed in openssl (Ubuntu):
status: Fix Committed → Fix Released
Changed in python2.7 (Ubuntu):
status: Fix Committed → Fix Released
Changed in python3.6 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Iain Lane (laney) wrote :

systemd has "+ * Add conflicts with upstart and systemd-shim. (LP: #1793092)", but it's not straightforward to me what is going on here. Could you explain a bit more please?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

wrong bug number typpo!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.