[openssl3] please sync openssl.cnf to ease changing security level

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package openssl - 3.0.3-5ubuntu2

---------------
openssl (3.0.3-5ubuntu2) kinetic; urgency=medium

  * d/p/Set-systemwide-default-settings-for-libssl-users: don't comment out
    the CipherString string to avoid an empty section.

 -- Simon Chopin <email address hidden> Tue, 31 May 2022 13:02:15 +0200

Hello Oibaf, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

It looks like it failed to build...
Any reason not to backport 3.0.3-5ubuntu2 from kinetic?

Hello Oibaf, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I updated the ssl packages to 3.0.2-0ubuntu1.4, and confirmed the updated openssl.cnf with the new directives:

--- ssl-orig/openssl.cnf 2022-03-16 09:35:51.000000000 +0100
+++ ssl/openssl.cnf 2022-06-09 13:20:55.000000000 +0200
@@ -52,6 +52,7 @@ tsa_policy3 = 1.2.3.4.5.7

 [openssl_init]
 providers = provider_sect
+ssl_conf = ssl_sect

 # List of providers to load
 [provider_sect]
@@ -388,3 +389,9 @@ oldcert = $insta::certout # insta.cert.p
 # Certificate revocation
 cmd = rr
 oldcert = $insta::certout # insta.cert.pem
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+CipherString = DEFAULT:@SECLEVEL=2

Just to confirm, on a fresh LXC Jammy container:

root@rational-polliwog:~# dpkg -l openssl | tail -n 1
ii openssl 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - cryptographic utility
root@rational-polliwog:~# grep SECLEVEL /etc/ssl/openssl.cnf
CipherString = DEFAULT:@SECLEVEL=2
root@rational-polliwog:~# openssl ciphers -v -s | wc -l
30
root@rational-polliwog:~# sed -i s/SECLEVEL=2/SECLEVEL=3/ /etc/ssl/openssl.cnf
root@rational-polliwog:~# openssl ciphers -v -s | wc -l
24

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.4

---------------
openssl (3.0.2-0ubuntu1.4) jammy; urgency=medium

  * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)

openssl (3.0.2-0ubuntu1.3) jammy; urgency=medium

  * d/p/lp1974037/*: cherry-pick another patchset to fix regressions with the
    previous lp1974037 one (LP: #1974037)
  * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on
    Ubuntu to make it easier for user to change security level (LP: #1972056)
  * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
    trigger the underlying bug (LP: #1947588)

 -- Simon Chopin <email address hidden> Thu, 09 Jun 2022 13:20:55 +0200

The verification of the Stable Release Update for openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.