On Tue, 12 Mar 2019 at 19:35, Seth Arnold <[email protected]> wrote: > > On Tue, Mar 12, 2019 at 04:05:45PM -0000, Dimitri John Ledkov wrote: > > defaults. And all of them however have committed to drop support for > > those in 2020. My expectation is to follow suit, and set default > > security level to 2, and require TLS1.2 shortly after 19.10 release. > > Can you expand upon this point a bit? > > Do you mean we will require tls 1.2 across all our supported releases > at the same time? > > Or do you mean we will require tls 1.2 for 19.10 and newer? Will this be > done as part of rolling out 19.10 or will we push an update to 19.10 that > will change behaviour? > > Or something else? >
I mean that, after 19.10 ships, and 20.04 development cycle opens, I will upload openssl which sets compiled in TLS security default to value 2, and sets minimum TLS 1.2 into 20.04 series. Clients and servers, will be able to continue to configure lower values via e.g. the SSL_CTX_set_security_level [1] and so on, to establish less than TLS 1.2 / weaker keys / etc. That's what my plan is for 20.04. I do not plan to backport this change to prior releases. Mostly because apps would need to learn how to use set_security_level etc, which stable software in bionic does not currently do en mass. W.r.t. web-browsers, I do expect them to release those changes to their stable browser on all platforms. It it would mean that eventually we'd backport stable Firefox with that change into bionic. And google chrome from google on bionic will also drop tls1.0 and tls1.1. So a limited exposure to dropping TLS1.0/1.1 in the clients will be observed in 2020 on Ubuntu 18.04 LTS. [1] https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html -- Regards, Dimitri. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797386 Title: [SRU] OpenSSL 1.1.1 to 18.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
