Here is a quick update on this SRU. Bringing in Apache support is currently not in scope. However, this can be investigated separately and possibly would most likely look like a targetted backport of mod_ssl, rather than a full upgrade of all of the apache2. But again only after OpenSSL 1.1.1 SRU is completed.
It is investigated to bring OpenSSH compiled against libcrypto 1.1.1 support. But again only after OpenSSL 1.1.1 SRU is complete. The current goal is to SRU OpenSSL 1.1.1 without causing any regressions to the dependent packages, which is quite a large task. In practice that does mean enabling TLS1.3 support in a few packages that are affected by the new handshake. As stated, this SRU is being staged https://launchpad.net/~ci-train-ppa- service/+archive/ubuntu/3473 possibly with a better stage page of the currently expected runtime regressions as shown at this page https://bileto.ubuntu.com/excuses/3473/bionic.html As you can see there, this upgrade cannot land until after relevant python/perl/ruby/R changes are also brought in. Python stack is mostly ready now, the others will be quite easier to test and land. If you can, I do urge you to test https://launchpad.net/~ci-train-ppa- service/+archive/ubuntu/3473 PPA on bionic with your workloads to spot breakage, incompatibility, and/or any unexpected connectivity issues (client<->server protocol negotiation failures). My personal goal is to land this in time / well ahead of the next bionic point release (currently penciled in for 7th February). But this is not a guarantee or a firm commitment that one can bank on. I hope this update helps. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1797386 Title: [SRU] OpenSSL 1.1.1 to 18.04 LTS Status in openssl package in Ubuntu: Confirmed Bug description: [Impact] * OpenSSL 1.1.1 is an LTS release upstream, which will continue to receive security support for much longer than 1.1.0 series will. * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to be rapidly adopted due to increased set of supported hashes & algoes, as well as improved handshake [re-]negotiation. * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities. * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some software is sensitive to the negotiation handshake and may either need patches/improvements or clamp-down to maximum v1.2. [Test Case] * Rebuild all reverse dependencies * Execute autopkg tests for all of them * Clamp down to TLS v1.2 software that does not support TLS v1.3 (e.g. mongodb) * Backport TLS v1.3 support patches, where applicable [Regression Potential] * Connectivity interop is the biggest issues which will be unavoidable with introducing TLS v1.3. However, tests on cosmic demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and negotiate TLS v1.3 without issues. * Mitigation of discovered connectivity issues will be possible by clamping down to TLS v1.2 in either server-side or client-side software or by backporting relevant support fixes [Other Info] * Previous FFe for OpenSSL in 18.10 is at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092 * TLS v1.3 support in NSS is expected to make it to 18.04 via security updates * TLS v1.3 support in GnuTLS is expected to be available in 19.04 * Test OpenSSL is being prepared in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
