[Bug 1841936] Re: Rebuild haproxy with openssl 1.1.1 will change features (bionic)

Wed, 23 Oct 2019 03:11:53 -0700 

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1841936-haproxy-
openssl

Tested:
a) load dh params from file
b) Test default (without config) size
c) Test config with higher size

Remember, even the broken default config said in the log:
WARNING] 295/095512 (19391) : Setting tune.ssl.default-dh-param to 1024 by 
default, if your workload permits it you should set it to at least 2048. Please 
set a value >= 1024 to make this warning disappear
But that was wrong (as you see above) and even setting so didn't change 
anything at all.

Pre-Fix:
 1024 Warning is shown
 DH group offered:            RFC5114/2048-bit DSA group with 224-bit prime 
order subgroup (2048 bits)

With Fix:
a) load dh params from file
 NO 1024 Warning is shown
 DH group offered:            Unknown DH group (1024 bits)
 That matches my custom key that I have set
b) Test default (without config) size
 1024 Warning is shown
 DH group offered:            HAProxy (1024 bits)
c) Test config with higher size
 NO 1024 Warning is shown
 DH group offered:            HAProxy (2048 bits)

That finally is as one would expect.
This allows us to fix Disco-Focal and to rebuild the one in Bionic without 
regressing.

I need to modify the SRU Template as it has different regression
statements for those than for Bionic.

And per policy Focal has to be done before the SRUs.
Marking bug tasks accordingly.


** Also affects: haproxy (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: haproxy (Ubuntu Focal)
   Importance: Medium
       Status: Fix Released

** Also affects: haproxy (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Changed in: haproxy (Ubuntu Eoan)
       Status: New => Triaged

** Changed in: haproxy (Ubuntu Focal)
       Status: Fix Released => Triaged

** Changed in: haproxy (Ubuntu Disco)
       Status: New => Triaged

** Changed in: haproxy (Ubuntu Bionic)
       Status: In Progress => Triaged

** Changed in: haproxy (Ubuntu Disco)
     Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

** Changed in: haproxy (Ubuntu Eoan)
     Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

** Changed in: haproxy (Ubuntu Focal)
     Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

** Summary changed:

- Rebuild haproxy with openssl 1.1.1 will change features (bionic)
+ Rebuild openssl 1.1.1 to pickup TLSv1.3 (bionic) and unbreak existing builds 
against 1.1.1 (dh key size)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936

Title:
  Rebuild openssl 1.1.1 to pickup TLSv1.3 (bionic) and unbreak existing
  builds against 1.1.1 (dh key size)

To manage notifications about this bug go to:
https://bugs.launchpad.net/haproxy/+bug/1841936/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to