[Bug 1841936] Re: Rebuild openssl 1.1.1 to pickup TLSv1.3 (bionic) and unbreak existing builds against 1.1.1 (dh key size)

Thu, 31 Oct 2019 00:31:25 -0700 

Prior to Update:
E: DH group offered:            RFC5114/2048-bit DSA group with 224-bit prime 
order subgroup (2048 bits)
D: DH group offered:            RFC5114/2048-bit DSA group with 224-bit prime 
order subgroup (2048 bits)
B: DH group offered:            HAProxy (1024 bits)
=> D+E on wrong defaults!


With tuning to specific key (2048):
tune.ssl.default-dh-param 2048
E: DH group offered:            RFC5114/2048-bit DSA group with 224-bit prime 
order subgroup (2048 bits)
D: DH group offered:            RFC5114/2048-bit DSA group with 224-bit prime 
order subgroup (2048 bits)
B: DH group offered:            HAProxy (2048 bits)
=> E+D ignore the config!

## Post Update ##

E: DH group offered:            HAProxy (1024 bits)
D: DH group offered:            HAProxy (1024 bits)
B:  DH group offered:            HAProxy (1024 bits)
=> E+D back on the expected default
=> B not broken by rebuild

With tuning to specific key (2048):
tune.ssl.default-dh-param 2048
E: DH group offered:            HAProxy (2048 bits)
D: DH group offered:            HAProxy (2048 bits)
B: DH group offered:            HAProxy (2048 bits)
=> E+D: Config now works
=> B not broken by rebuild


Also on Bionic now (for the initial TLSv1.3 request):
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
 Testing protocols via sockets except NPN+ALPN 
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
...

Thanks to David for the extended test with a real configuration!
Marking this verified

** Tags removed: verification-needed verification-needed-bionic 
verification-needed-disco verification-needed-eoan
** Tags added: verification-done verification-done-bionic 
verification-done-disco verification-done-eoan

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841936

Title:
  Rebuild openssl 1.1.1 to pickup TLSv1.3 (bionic) and unbreak existing
  builds against 1.1.1 (dh key size)

To manage notifications about this bug go to:
https://bugs.launchpad.net/haproxy/+bug/1841936/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to