This new TLS 1.2 support does not seem to be reflected in Apache2 on 12.04 LTS. It's all well and good that OpenSSL may now be running 1.0.1, but it does not look as though apache has been recompiled against it, and so it is still stuck with only TLS 1.0, which is vunerable to the BEAST attack, thereby making anyone running a webserver on this release PCI non-compliant.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1256576 Title: Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 Status in openssl package in Ubuntu: Fix Released Bug description: The long term support version of Ubuntu 12.04 provides OpenSSL 1.0.0. A wireshark trace shows the version of OpenSSL used by Ubuntu does not support TLS 1.2. According to the change logs, TLS 1.2 support was added 14 March 2012. The change log can be found at http://www.openssl.org/news/changelog.html, and the TLS additions can be found under the heading "Changes between 1.0.0h and 1.0.1". $ ldd /usr/lib/x86_64-linux-gnu/libssl.so linux-vdso.so.1 => (0x00007fffd9d84000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f1e0691e000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e0655e000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1e06359000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1e06142000) /lib64/ld-linux-x86-64.so.2 (0x00007f1e06f6d000) *********** OpenSSL 1.0.1 is compatible with 1.0.0. From the OpenSSL FAQ (http://www.openssl.org/support/faq.html): 8. How does the versioning scheme work? After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter releases (e.g. 1.0.1a) can only contain bug and security fixes and no new features. Minor releases change the last number (e.g. 1.0.2) and can contain new features that retain binary compatibility. Changes to the middle number are considered major releases and neither source nor binary compatibility is guaranteed. ********** By the way, its nearly impossible to file a bug report through the launch pad. The maze that's been created is impossible to navigate, and its worse than one of those phone menu systems. I had to look up the URL to file at http://www.cryptopp.com/wiki/Talk:Linux. Great job to the designers of the system. Its probably the same idiots who thought a tablet manager was a great idea on the desktop.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
