The patch was added by Dimitri in cosmic to restore compatibility with older and less secure TLS implementations using weak keys. However, bionic shipped without compatibility with those less secure keys, and we are unaware of any complaints about this change in bionic. This distro patch to lower the security baseline of openssl 1.1 was being introduced in SRU to bionic as part of the openssl 1.1.1 backport, and I rejected that upload after discussion with the security team, because it is not justifiable for the SRU to *lower* the security baseline in SRU without specific reports of breakage.
And since the protocol baseline in bionic is incompatible with those servers, there is no reason for newer non-LTS releases to be compatible with them. Hence, dropping the patch for devel is, I believe, obviously correct. SRUing that same change to cosmic is not as obviously correct since it carries some risk of regression vs. the state of cosmic at time of release. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1822984 Title: revert tls security level back to 1 Status in openssl package in Ubuntu: Fix Committed Status in openssl source package in Cosmic: New Status in openssl source package in Disco: Fix Committed Bug description: [Impact] * increase minimum default tls security level from 0 to 1, as is the default upstream [Test Case] * generate 80bits TLS certificate and attempt to use it * with prior openssl it should work, but with this update it should fail [Regression Potential] * This increases the minimum required certificate/keys sizes and algorithms, back to what Bionic GA openssl 1.1.0 shipped as. It also now will match upstream default. It is still lower than Debian's default that raises it to 2 by default. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1822984/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
