[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
Thomas and Marc, thanks for the guidance and time spent here. :) I'll look into the SRU process. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: Won't Fix Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
I've discussed this with mapreri who is another person on the backporters team. Given the API/ABI changes that happen during OpenSSL microreleases that break packages integrations AND that this will add a security delta (-backports doesn't receive Security Team support so if they change and patch a CVE in -security or -updates it remains unpatched in -backports which introduces a significant Security risk. Additionally, if it's only 3 or 4 commits to fix SSL_OP_LEGACY_SERVER_CONNECT then you need to follow the SRU process, not the Backports process. Rejecting this backport as "Won't Fix" due to the aforementioned reasons. Additionally, the Backporters Team are going to blacklist `openssl` for backport requests unless it comes from Security at this time. ** Changed in: openssl (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: Won't Fix Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
Minor OpenSSL releases have historically introduced a whole lot of behaviour and API changes that required fixing dozens of other packages in the archive. I don't recommend putting 3.0.5 in backports. What I suggest is to actually SRU the 3-4 commits that fix SSL_OP_LEGACY_SERVER_CONNECT to the version currently in Jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: New Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
Mark, are you asking this to be backported in -backports or in -updates and -security? This is one of the packages that if we do this in -backports any security patches applied by the Security team for OpenSSL in -security and -updates would be ignored with the higher version of this in -backports. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: New Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
OpenSSL is one of those tricky things out there I would like to get a Security insight for before we do any kind of backporting of it. There's other things this could impact, backports or not. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: New Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
