On Mon, 11 Mar 2019 at 21:20, Steve Langasek <steve.langa...@canonical.com> wrote: > > Acceptance of openssl currently blocked on coverage of the (distro > patch) OPENSSL_TLS_SECURITY_LEVEL change as part of the SRU template. >
In Debian (but never ubuntu) they have bumped the default security level from 1, to 2. In Ubuntu, we have further decreased security level from 1 to 0, for connectivity compatibility with openssl 1.0.2. This change was done in cosmic, and is part of this SRU backport. The reason for the decreased security level is to aid with connectivity compatibily with older Ubuntu LTS releases based on openssl 1.0.2. Such that bionic clients can connect to older servers, even if the server uses small keys / md5 / etc. I do not believe it is possible to set higher default security level "for servers only". Thus we rely on server/daemon apps to have stronger configuration, large keys, better certs, etc. There are 1.1.0/1.1.1 APIs available to dynamically set higher security levels, which highly active servers are using to increase security levels in servers/daemons. These changes are documented in the cosmic+ changelog with the following entries: - Revert "Enable system default config to enforce TLS1.2 as a minimum" & "Increase default security level from 1 to 2". - Further decrease security level from 1 to 0, for compatibility with openssl 1.0.2. Migration path to stonger defaults is to be done in 2020. This is inline with major web-browsers too. All of them still support weaker defaults. And all of them however have committed to drop support for those in 2020. My expectation is to follow suit, and set default security level to 2, and require TLS1.2 shortly after 19.10 release. For the webbrowsers announcements please see these references: https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ https://security.googleblog.com/2018/10/modernizing-transport-security.html https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ -- Regards, Dimitri. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797386 Title: [SRU] OpenSSL 1.1.1 to 18.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs