I talked with Alex of the security Team.
Here the TL;DR summary:
- security would prefer and be +1 on enabling TLSv1.3 in haproxy in Bionic
- Server team is ok as well, while it is a feature addition it seems not to
take away any
- thereby it would fall under the third section of [1] "add features without
affecting existing
features"
- In case the SRU Team "nacks" this upload then instead we should prepare and
upload a change to
"avoid to enable TLSv1.3 by accident"
I checked later releases, >=Disco are already built with the new version
so no other than Bionic would need to be changed.
[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases
** Changed in: haproxy (Ubuntu)
Status: Confirmed => Triaged
** Also affects: haproxy (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: haproxy (Ubuntu Bionic)
Status: New => Triaged
** Changed in: haproxy (Ubuntu)
Status: Triaged => Fix Released
** Changed in: haproxy (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: haproxy (Ubuntu Bionic)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to haproxy in Ubuntu.
https://bugs.launchpad.net/bugs/1841936
Title:
Rebuild haproxy with openssl 1.1.1 will change features (bionic)
Status in haproxy package in Ubuntu:
Fix Released
Status in haproxy source package in Bionic:
Triaged
Bug description:
haproxy needs to be rebuilt after #1797386 to take advantage of
TLSv1.3.
(If that's not desirable for some reason, then maybe TLSv1.3 should be
actively disabled to avoid any surprises in case of a future bug fix
release.)
---
Output of haproxy -vv with stock package:
Built with OpenSSL version : OpenSSL 1.1.0g 2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 (VERSIONS DIFFER!)
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
---
Output after rebuilding the package from source:
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1841936/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help : https://help.launchpad.net/ListHelp