[Bug 1822984] Re: revert tls security level back to 1
This bug was fixed in the package openssl - 1.1.1-1ubuntu2.2 --- openssl (1.1.1-1ubuntu2.2) cosmic; urgency=medium * debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898 * Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984 -- Dimitri John Ledkov Wed, 03 Apr 2019 20:37:01 +0100 ** Changed in: openssl (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
Thanks for the verification! The SRU has some reported autopkgtest regressions - could you take a look at those? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
generated new weak key, cert and try to use it with current cosmic's openssl and succeed: # openssl genrsa -des3 -out myCA.key 600 # openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem # openssl s_server -cert myCA.pem -key myCA.key -WWW # wget --ca-certificate myCA.pem https://localhost:4433 --2019-04-11 16:18:41-- https://localhost:4433/ Resolving localhost (localhost)... ::1, 127.0.0.1 Connecting to localhost (localhost)|::1|:4433... connected. HTTP request sent, awaiting response... 200 ok Length: unspecified [text/plain] Saving to: 'index.html.2' index.html.2 [ <=> ] 237 --.-KB/sin 0s 2019-04-11 16:18:41 (15.6 MB/s) - 'index.html.2' saved [237] # dpkg -l | grep libssl ii libssl1.1:amd641.1.1-1ubuntu2 Upgraded to: # dpkg -l | grep libssl ii libssl1.1:amd641.1.1-1ubuntu2.2 And now wget fails with too small key error, whilst the s_server is still running: # wget --ca-certificate myCA.pem https://localhost:4433 --2019-04-11 16:20:09-- https://localhost:4433/ Resolving localhost (localhost)... ::1, 127.0.0.1 Connecting to localhost (localhost)|::1|:4433... connected. ERROR: cannot verify localhost's certificate, issued by 'CN=localhost,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU': EE certificate key too weak To connect to localhost insecurely, use `--no-check-certificate'. ** Tags removed: verification-needed verification-needed-cosmic ** Tags added: verification-done verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
Hello Dimitri, or anyone else affected, Accepted openssl into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openssl (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
This bug was fixed in the package openssl - 1.1.1b-1ubuntu2 --- openssl (1.1.1b-1ubuntu2) disco; urgency=medium * debian/rules: Ship openssl.cnf in libssl1.1-udeb, as required to use OpenSSL by other udebs, e.g. wget-udeb. LP: #1822898 * Drop debian/patches/UBUNTU-lower-tls-security-level-for-compat.patch to revert TLS_SECURITY_LEVEL back to 1. LP: #1822984 -- Dimitri John Ledkov Wed, 03 Apr 2019 11:50:23 +0100 ** Changed in: openssl (Ubuntu Disco) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
** Changed in: openssl (Ubuntu Cosmic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
But equally, I would not want to keep cosmic more insecure than what bionic and disco will be. And currently, cosmic is a release regression w.r.t. bionic GA. Upgrading to newer releases, should not result in looser acceptance of insecure protocols. ** Description changed: [Impact] * increase minimum default tls security level from 0 to 1, as is the default upstream [Test Case] * generate 80bits TLS certificate and attempt to use it * with prior openssl it should work, but with this update it should fail [Regression Potential] * This increases the minimum required certificate/keys sizes and algorithms, back to what Bionic GA openssl 1.1.0 shipped as. It also now will match upstream default. It is still lower than Debian's default that raises it to 2 by default. + + * Cosmic GA shipped with TLS_SECURITY_LEVEL 0, meaning pretty much any + weak keys were accepted. With this change keys lower than 112 will be + rejected, which are considered to be too weak to be useful by most CAs + out there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
The patch was added by Dimitri in cosmic to restore compatibility with older and less secure TLS implementations using weak keys. However, bionic shipped without compatibility with those less secure keys, and we are unaware of any complaints about this change in bionic. This distro patch to lower the security baseline of openssl 1.1 was being introduced in SRU to bionic as part of the openssl 1.1.1 backport, and I rejected that upload after discussion with the security team, because it is not justifiable for the SRU to *lower* the security baseline in SRU without specific reports of breakage. And since the protocol baseline in bionic is incompatible with those servers, there is no reason for newer non-LTS releases to be compatible with them. Hence, dropping the patch for devel is, I believe, obviously correct. SRUing that same change to cosmic is not as obviously correct since it carries some risk of regression vs. the state of cosmic at time of release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
looks like someone else accepted with this question still pending... still would appreciate an answer -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
that regression potential doesn't really describe what might regress... I think it could be improved. since you asked me to review, can you give a bit more context for the change please? why did we have the patch before and why can it be removed now? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822984] Re: revert tls security level back to 1
** Changed in: openssl (Ubuntu Disco) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs