The libio-socket-ssl-perl debdiff includes the following changes to
upstream tests:
(t/ecdhe.t)
+ my $protocol = $to_server->get_sslversion;
+ if ($protocol eq 'TLSv1_3') {
+ # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
+ ok("# SKIP TLSv1.3 doesn't advertize key exchange in a chipher name");
+ } else {
(t/npn.t)
+ SSL_version => 'SSLv23:!TLSv1_3', # NPN does not exist in TLSv1.3
+ #
https://github.com/openssl/openssl/issues/3665
(t/session_ticket.t)
+ # FIXME - add session ticket support for TLS 1.3 too
+ SSL_version => 'SSLv23:!TLSv1_3',
[...]
+# FIXME: TLSv1.3 requires to use SSL_CTX_sess_set_new_cb() by clients instead
+# of SSL_get1_session(). Missing from Net::SSLeay.
Please discuss / account for the impact of these interface changes on
the reverse-dependencies of libio-socket-ssl-perl as part of this SRU.
AFAIK there have not been any specific rebuild etc. tests with the new
version of libio-socket-ssl-perl as part of this transition. There will
be autopkgtest results, which may or may not be comprehensive. If you
expect these autopkgtests to be sufficient guard against regression in
Ubuntu, please document why in the SRU bug. Also please
quantify/characterize the risk of regression to third-party software
deployed on bionic using libio-socket-ssl-perl in the face of these
interface changes, and if you believe that risk of regression is
acceptable, explain why.
Finally, please explain why this SRU introduces a hard-coded build-
dependency (and runtime dependency) on libssl1.1 instead of this being
resolved through shlibdeps or -dev package dependencies.
** Bug watch added: github.com/openssl/openssl/issues #3665
https://github.com/openssl/openssl/issues/3665
** Changed in: libio-socket-ssl-perl (Ubuntu Bionic)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386
Title:
[SRU] OpenSSL 1.1.1 to 18.04 LTS
Status in openssl package in Ubuntu:
In Progress
Status in libio-socket-ssl-perl source package in Bionic:
Incomplete
Status in libnet-ssleay-perl source package in Bionic:
Incomplete
Status in nova source package in Bionic:
New
Status in openssl source package in Bionic:
Fix Committed
Status in python-cryptography source package in Bionic:
Fix Committed
Status in python2.7 source package in Bionic:
Fix Committed
Status in python3.6 source package in Bionic:
Fix Committed
Status in python3.7 source package in Bionic:
New
Status in r-cran-openssl source package in Bionic:
Fix Committed
Status in ruby-openssl source package in Bionic:
Fix Committed
Status in ruby2.5 source package in Bionic:
New
Bug description:
[Impact]
* OpenSSL 1.1.1 is an LTS release upstream, which will continue to
receive security support for much longer than 1.1.0 series will.
* OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
be rapidly adopted due to increased set of supported hashes & algoes,
as well as improved handshake [re-]negotiation.
* OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.
* OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
software is sensitive to the negotiation handshake and may either need
patches/improvements or clamp-down to maximum v1.2.
[Test Case]
* Rebuild all reverse dependencies
* Execute autopkg tests for all of them
* Clamp down to TLS v1.2 software that does not support TLS v1.3
(e.g. mongodb)
* Backport TLS v1.3 support patches, where applicable
[Test cases for the python updates]
python3.7 is a preview in bionic as a non-supported/non-default
version of python3. Passing it's own autopkgtests is sufficient
validation for python3.7. It includes a point release update, with
OpenSSL 1.1.1 compat and features.
python3.6 not only has OpenSSL 1.1.1 compat and features patches, but
also includes a point release update to 3.6.8. It has been part of the
full-archive rebuild and regression analysis. Autopkgtests were
triggered for python3.6 and python3-defaults with regressions already
fixed in the individual packages as appropriate.
python2.7 has the update from .15~rc1 to .15 final, with OpenSSL 1.1.1
compat only. It has been part of the full-archive rebuild and
regression analysis. Autopkgtests were triggered for python2.7 and
python-defaults with regressions already fixed in the individual
packages as appropriate.
The archive rebuilds done, were commulative with OpenJDK 11, OpenSSL 1.1.1
and python point releases as seen in:
http://people.canonical.com/~doko/ftbfs-report/test-rebuild-20181222-bionic.html
http://people.canonical.com/~doko/ftbfs-report/test-rebuild-20181222-test-bionic.html
And analyzed in
https://docs.google.com/spreadsheets/d/1tMIwlwoHH_1h5sbvUbNac6-HIPKi3e0Xr8ebchIOU1A/edit#gid=147857652
[Regression Potential]
* Connectivity interop is the biggest issues which will be
unavoidable with introducing TLS v1.3. However, tests on cosmic
demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
negotiate TLS v1.3 without issues.
* Mitigation of discovered connectivity issues will be possible by
clamping down to TLS v1.2 in either server-side or client-side
software or by backporting relevant support fixes
* Notable changes are listed here
https://wiki.openssl.org/index.php/TLS1.3
* Most common connectivity issues so far:
- client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname.
Solution is client change to set hostname, or to clamp down the client to
TLSv1.2.
- session negotiation is different in TLSv1.3, existing client code
may fail to create/negotiate/resume session. Clients need to learn how
to use session callback.
* This update bundles python 3.6 and 3.7 point releases
[Other Info]
* Previous FFe for OpenSSL in 18.10 is at
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092
* TLS v1.3 support in NSS is expected to make it to 18.04 via
security updates
* TLS v1.3 support in GnuTLS is expected to be available in 19.04
* Test OpenSSL is being prepared in
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473
[Autopkgtest Regressions]
dovecot/armhf - flakey
libnet-ssleay-perl - awaiting sru accept into proposed of
libnet-ssleay-perl and libio-socket-ssl-perl due to fixes and
versioned breaks.
linux* - rebuild testcases passes (for some edge flavours the build
fails in non-ssl portions of the build), ubuntu-regression-suite
testcase fails for a few variants but should have been skipped (in
progress to be fixed in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1823056)
openvswitch/i386 - extremely flakey, errors out or fails mostly
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
