[Ubuntu-ha] [Bug 1841936] Re: Rebuild haproxy with openssl 1.1.1 will change features (bionic)

Christian Ehrhardt  Tue, 03 Sep 2019 00:30:57 -0700

I talked with Alex of the security Team.
Here the TL;DR summary:
- security would prefer and be +1 on enabling TLSv1.3 in haproxy in Bionic
  - Server team is ok as well, while it is a feature addition it seems not to 
take away any
  - thereby it would fall under the third section of [1] "add features without 
affecting existing 
    features"
- In case the SRU Team "nacks" this upload then instead we should prepare and 
upload a change to 
  "avoid to enable TLSv1.3 by accident"


I checked later releases, >=Disco are already built with the new version
so no other than Bionic would need to be changed.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases

** Changed in: haproxy (Ubuntu)
       Status: Confirmed => Triaged

** Also affects: haproxy (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: haproxy (Ubuntu Bionic)
       Status: New => Triaged

** Changed in: haproxy (Ubuntu)
       Status: Triaged => Fix Released

** Changed in: haproxy (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: haproxy (Ubuntu Bionic)
     Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

-- 
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to haproxy in Ubuntu.
https://bugs.launchpad.net/bugs/1841936

Title:
  Rebuild haproxy with openssl 1.1.1 will change features (bionic)

Status in haproxy package in Ubuntu:
  Fix Released
Status in haproxy source package in Bionic:
  Triaged

Bug description:
  haproxy needs to be rebuilt after #1797386 to take advantage of
  TLSv1.3.

  (If that's not desirable for some reason, then maybe TLSv1.3 should be
  actively disabled to avoid any surprises in case of a future bug fix
  release.)

  ---

  Output of haproxy -vv with stock package:

  Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
  Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018 (VERSIONS DIFFER!)
  OpenSSL library supports TLS extensions : yes
  OpenSSL library supports SNI : yes
  OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2

  ---

  Output after rebuilding the package from source:

  Built with OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
  Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
  OpenSSL library supports TLS extensions : yes
  OpenSSL library supports SNI : yes
  OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1841936/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help   : https://help.launchpad.net/ListHelp

[Ubuntu-ha] [Bug 1841936] Re: Rebuild haproxy with openssl 1.1.1 will change features (bionic)

Reply via email to