** Tags removed: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
To manage notifications about this bug go to
there's a new upload for trusty, for bug 1444656
closing this one
** Changed in: gnutls26 (Ubuntu Trusty)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/17091
Version 2.12.23-12ubuntu2.9 in trusty-proposed introduced regressions in
autopkgtests and was marked as verification-failed-trusty. There is no
clear way forward and I don't have more time to put into this. As such,
would it be possible to drop the package from trusty-proposed, please?
--
You rec
** Bug watch removed: Debian Bug tracker #878253
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878253
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1 or 1.2
This bug was fixed in the package gnutls28 - 3.4.10-4ubuntu1.4
---
gnutls28 (3.4.10-4ubuntu1.4) xenial; urgency=medium
* use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
which includes TLS1
I see your patch got approved and released in Debian. I would propose
syncing it into bb when it opens and then backporting to xenial. I ran
an autopkgtest of aria2 without the new gnutls28 and the failure is not
present there on armhf, so I'd prefer having it fixed if possible before
releasing to
I reported my finding and proposed a patch to aria2 in Debian [1]. Since
aria2 has no delta with Debian, I'd like to know what to do from here,
assuming that my theory of armhf being too slow is sound.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878253
** Bug watch added: Debian Bug tra
I've been experimenting with aria2's httpfile test and not having ca-
certificates logs an error but that's not fatal. What I think is the
problem is that armhf is just too slow to start the python HTTP server
which explains the "Exception: [AbstractCommand.cc:869] errorCode=1
Failed to establish c
Julian, that sounds promising as the other arches seem to have ca-
certificates installed due to other dependencies which could well
explain the armhf-only failure.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
Not the xenial one, that should be fine IIRC (unrelated autopkgtest
failures) . We ship the same patch in zesty, and Debian ships it in
stretch.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
T
For xenial we shoulf just need to add ca-certificates to the test reps
of aria2 to make it workm
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1 or 1.2 with OpenSS
Regarding regressions: I believe that the "soak testing" of the fix in
stretch and zesty gives a reasonable indication that this works fine for
normal users (or nobody uses it...). There can be regressions of course,
but this essentially makes the behaviour of the compat bindings
equivalent to the
I couldn't reproduce/address the problems found by autopkgtests so
please reject the Trusty/Xenial uploads, thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1
Driving through with my SRU hat.
Regression Potential of "None" or "Low" is unacceptable. Please review
https://wiki.ubuntu.com/StableReleaseUpdates#Procedure.
How will you test that this doesn't impact protocol negotiation
unrelated to this bug (ie. unaffected users)?
Is Tyler's comment 34 a -1
** No longer affects: ssmtp (Ubuntu Trusty)
** No longer affects: ssmtp (Ubuntu Xenial)
** No longer affects: ssmtp (Ubuntu Zesty)
** No longer affects: ssmtp (Ubuntu Artful)
** No longer affects: gnutls26 (Ubuntu Xenial)
** No longer affects: gnutls26 (Ubuntu Zesty)
** No longer affects: gnu
I agree with juliank's assessment in comment #22. The 2nd Trusty debdiff
allows md5 to be used throughout the entire cert chain which is
apparently not what Simon intended. I don't think it is the right
approach.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
I see the NM one passes now, thanks for retrying it. The aria2 armhf
problem reliably fails though. I guess I'll have to setup a QEMU VM for
that arch and manually run the test to see what's going on.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscrib
You can also look at http://people.canonical.com/~ubuntu-archive
/pending-sru.html of course, that lists all SRUs in any -proposed suite
and mention regressions in autopkgtest in the left column.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
If you look at http://people.canonical.com/~ubuntu-archive/proposed-
migration/xenial/update_excuses.html#gnutls28 you'll see that aria2
failed on armhf, and network-manager on amd64.
network-manager looks like a temporary failure, I just retried that; and
aria2 - well, it fails to read CA certifi
@juliank, thanks for the update. I wasn't aware of the autopkgtest
failing for some reverse dependencies. Any pointers to those? I'm
determined to see this one though, but on Monday ;)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
ht
@sdeziel we just hurried the zesty one up yesterday to make place for a
new SRU in zesty. And now it is weekend, and I'm not sure, but I don't
think updates are released during weekends. You could try pinging in
#ubuntu-release on Monday.
--
You received this bug notification because you are a me
@sdeziel One problem here probably being that the updates are stuck due
to reverse dependencies failing autopkgtest and you not convincing
people that these failures are unrelated. If you don't push hard on that
kind of stuff, nothing really happens.
--
You received this bug notification because
The Xenial fix is identical to what went in Artful and Zesty so it
shouldn't be subject to any more review.
The review was requested to check if the different fix proposed for
Trusty was OK.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
Ignore my last comment. You were asking about Xenial but it was the
Trusty SRU that was blocked on ubuntu-security review.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use
@sdeziel ubuntu-security was asked to comment on it a few days ago. I've
just freed up enough to take a look.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1 or 1.
It's been a while since the Xenial -proposed package have been
successfully validated. Is there anything preventing it from entering
-updates?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Tit
@ubuntu-security -- could we have an oppinion on this patch which is
enabling %VERIFY_ALLOW_SIGN_RSA_MD5 for trusty. Looking to understand
if this is overly broad and therefore a security issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
So, I believe the proposed 2nd trusty might accidentally allow MD5
everywhere, when the problem only is root certificates with MD5 self
signatures. I believe this might be related:
https://gitlab.com/gnutls/gnutls/commit/b93ae1abf1b84fdc094f2474f1b2e4848081810e
But I'm not sure if it fixes the is
This bug was fixed in the package gnutls28 - 3.5.6-4ubuntu4.2
---
gnutls28 (3.5.6-4ubuntu4.2) zesty; urgency=medium
* use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
which includes TLS1.2
On Truty with 2.12.23-12ubuntu2.9, the sSMTP client would abort the
StartTLS connection complaining it didn't support the signature
algorithm in use.
When validating I used a mail relay with a RSA-SHA256 cert signed by
CAcert.org. CAcert.org is (self-signed) RSA-MD5. It turned out that
Trusty also
Verified on Zesty with:
$ apt-cache policy libgnutls-openssl27:amd64
libgnutls-openssl27:
Installed: 3.5.6-4ubuntu4.2
Candidate: 3.5.6-4ubuntu4.2
Version table:
*** 3.5.6-4ubuntu4.2 500
500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
100 /var/lib/dpkg
The trusty-proposed version (2.12.23-12ubuntu2.9) doesn't work and
introduces a regression preventing successful TLS/SSL connections. I'll
check if there is an easy fix for gnutls26.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
http
Verified on Xenial with:
$ apt-cache policy libgnutls-openssl27:amd64
libgnutls-openssl27:
Installed: 3.4.10-4ubuntu1.4
Candidate: 3.4.10-4ubuntu1.4
Version table:
*** 3.4.10-4ubuntu1.4 500
500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
100 /var/lib
Hello Simon, or anyone else affected,
Accepted gnutls28 into zesty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/gnutls28/3.5.6-4ubuntu4.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:/
This bug was fixed in the package gnutls28 - 3.5.8-6ubuntu2
---
gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium
* use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
which includes TLS1.2 sup
** Description changed:
+ [Impact]
+
+ Applications using GnuTLS OpenSSL compat layer [1] are be unable to use
+ modern TLS versions (1.1 and 1.2) when relying on the
+ SSLv23_{client,server}_method functions.
+
+ There is an industry-wide push to use modern TLS versions, see [2] and
+ [3] for e
ACK on the trusty, xenial and zesty debdiffs. Uploaded for processing by
the SRU team. Thanks!
** Changed in: gnutls26 (Ubuntu Trusty)
Status: Confirmed => In Progress
** Changed in: gnutls28 (Ubuntu Xenial)
Status: Confirmed => In Progress
** Changed in: gnutls28 (Ubuntu Zesty)
ACK on the artful debdiff. I've uploaded it now with a slight adjustment
to put the bug numbers in the patch tags. Thanks!
** Changed in: gnutls28 (Ubuntu Artful)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is su
** Also affects: ssmtp (Ubuntu Artful)
Importance: Undecided
Status: Invalid
** Also affects: gnutls26 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: gnutls28 (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: ssmtp (Ubuntu Trusty
** Changed in: gnutls28 (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709193
Title:
Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
To manage
** Patch added: "lp1709193-17.04.debdiff"
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4930181/+files/lp1709193-17.04.debdiff
** Also affects: gnutls26 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a
** Patch added: "lp1709193-14.04.debdiff"
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1709193/+attachment/4930182/+files/lp1709193-14.04.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
** Patch added: "lp1709193-17.10.debdiff"
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4929799/+files/lp1709193-17.10.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
The attachment "lp1709193-16.04.debdiff" seems to be a debdiff. The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, an
I'm attaching a debdiff for gnutls28 from Xenial. It worked in my tests
to have ssmtp use TLSv1.2.
I'll try to provide a debdiff for Artful as well.
** Patch added: "lp1709193-16.04.debdiff"
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4929787/+files/lp1709193-1
45 matches
Mail list logo
