The libssl1.1 version 1.1.1-1ubuntu2.1~18.04.1 breaks salt package
version 2017.7.4+dfsg1-1:
root@server:~# salt-key -L
Error: unknown error (_ssl.c:2788)
root@server:~# salt --versions-report
Traceback (most recent call last):
File "/usr/bin/salt", line 10, in <module>
salt_main()
File "/usr/lib/python3/dist-packages/salt/scripts.py", line 476, in salt_main
client.run()
File "/usr/lib/python3/dist-packages/salt/cli/salt.py", line 33, in run
import salt.client
File "/usr/lib/python3/dist-packages/salt/client/__init__.py", line 31, in
<module>
import salt.cache
File "/usr/lib/python3/dist-packages/salt/cache/__init__.py", line 18, in
<module>
import salt.loader
File "/usr/lib/python3/dist-packages/salt/loader.py", line 26, in <module>
import salt.utils.event
File "/usr/lib/python3/dist-packages/salt/utils/event.py", line 70, in
<module>
import tornado.iostream
File "/usr/lib/python3/dist-packages/tornado/iostream.py", line 40, in
<module>
from tornado.netutil import ssl_wrap_socket, ssl_match_hostname,
SSLCertificateError, _client_ssl_defaults, _server_ssl_defaults
File "/usr/lib/python3/dist-packages/tornado/netutil.py", line 57, in <module>
ssl.Purpose.SERVER_AUTH)
File "/usr/lib/python3.6/ssl.py", line 502, in create_default_context
context = SSLContext(PROTOCOL_TLS)
File "/usr/lib/python3.6/ssl.py", line 391, in __new__
self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: unknown error (_ssl.c:2788)
Seems to be python3.6 which is impacted.
Regards.
** Also affects: salt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386
Title:
[SRU] OpenSSL 1.1.1 to 18.04 LTS
Status in openssl package in Ubuntu:
In Progress
Status in salt package in Ubuntu:
New
Status in libio-socket-ssl-perl source package in Bionic:
New
Status in libnet-ssleay-perl source package in Bionic:
New
Status in nova source package in Bionic:
New
Status in openssl source package in Bionic:
Fix Committed
Status in python-cryptography source package in Bionic:
New
Status in python2.7 source package in Bionic:
New
Status in python3.6 source package in Bionic:
New
Status in python3.7 source package in Bionic:
New
Status in r-cran-openssl source package in Bionic:
Fix Committed
Status in ruby-openssl source package in Bionic:
Fix Committed
Status in ruby2.5 source package in Bionic:
New
Status in salt source package in Bionic:
New
Bug description:
[Impact]
* OpenSSL 1.1.1 is an LTS release upstream, which will continue to
receive security support for much longer than 1.1.0 series will.
* OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
be rapidly adopted due to increased set of supported hashes & algoes,
as well as improved handshake [re-]negotiation.
* OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.
* OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
software is sensitive to the negotiation handshake and may either need
patches/improvements or clamp-down to maximum v1.2.
[Test Case]
* Rebuild all reverse dependencies
* Execute autopkg tests for all of them
* Clamp down to TLS v1.2 software that does not support TLS v1.3
(e.g. mongodb)
* Backport TLS v1.3 support patches, where applicable
[Test cases for the python updates]
python3.7 is a preview in bionic as a non-supported/non-default
version of python3. Passing it's own autopkgtests is sufficient
validation for python3.7. It includes a point release update, with
OpenSSL 1.1.1 compat and features.
python3.6 not only has OpenSSL 1.1.1 compat and features patches, but
also includes a point release update to 3.6.8. It has been part of the
full-archive rebuild and regression analysis. Autopkgtests were
triggered for python3.6 and python3-defaults with regressions already
fixed in the individual packages as appropriate.
python2.7 has the update from .15~rc1 to .15 final, with OpenSSL 1.1.1
compat only. It has been part of the full-archive rebuild and
regression analysis. Autopkgtests were triggered for python2.7 and
python-defaults with regressions already fixed in the individual
packages as appropriate.
[Regression Potential]
* Connectivity interop is the biggest issues which will be
unavoidable with introducing TLS v1.3. However, tests on cosmic
demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
negotiate TLS v1.3 without issues.
* Mitigation of discovered connectivity issues will be possible by
clamping down to TLS v1.2 in either server-side or client-side
software or by backporting relevant support fixes
* Notable changes are listed here
https://wiki.openssl.org/index.php/TLS1.3
* Most common connectivity issues so far:
- client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname.
Solution is client change to set hostname, or to clamp down the client to
TLSv1.2.
- session negotiation is different in TLSv1.3, existing client code
may fail to create/negotiate/resume session. Clients need to learn how
to use session callback.
* This update bundles python 3.6 and 3.7 point releases
[Other Info]
* Previous FFe for OpenSSL in 18.10 is at
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092
* TLS v1.3 support in NSS is expected to make it to 18.04 via
security updates
* TLS v1.3 support in GnuTLS is expected to be available in 19.04
* Test OpenSSL is being prepared in
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473
[Autopkgtest Regressions]
dovecot/armhf - flakey
libnet-ssleay-perl - awaiting sru accept into proposed of
libnet-ssleay-perl and libio-socket-ssl-perl due to fixes and
versioned breaks.
linux* - rebuild testcases passes (for some edge flavours the build
fails in non-ssl portions of the build), ubuntu-regression-suite
testcase fails for a few variants but should have been skipped (in
progress to be fixed in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1823056)
openvswitch/i386 - extremely flakey, errors out or fails mostly
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
