Consider updating GNUTLS for TLSv1.3 and unified config w/Focal
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gnutls28 (Ubuntu) |
New
|
Wishlist
|
Unassigned | ||
Bug Description
Bionic uses GNUTLS 3.5, and many programs embed its functionality (like Samba). The OpenSSL library in Bionic was backported to support TLSv1.3, but many packages using GNUTLS 3.5 are using an older branch (the stable branch of GNUTLS is now 3.6).
There are some advantages to the latest GNUTLS, such as TLSv1.3 support, optimizations and fixes, and also centralized management of cipher profile strings, which will let SYSADMINs and MSPs easily template cipher changes across the board between Bionic and Focal systems.
Would it be possible to backport GNUTLS to Bionic the same way that OpenSSL was? It would be nice to have both major encryption libraries on the current branch through a release's supported life.
Further reading:
https:/
https:/
| Dimitri John Ledkov (xnox) wrote | #1 |
| Changed in gnutls28 (Ubuntu): | |
| importance: | Undecided → Wishlist |
Bionic at point-zero shipped with two OpenSSL series the legacy 1.0.2 and non-lts 1.1.0. We made the call that 1.1.0 series is unsupportable over the 10 years, and thus chose (as one time only event) upgrade to 1.1.1 series. It was primarily driven by supportability and maintenance concern.
Note, many applications in bionic, despite using 1.1.1 series do not support TLSv1.3. And many use 1.02.
We do not currently have supportability concerns of the GnuTLS 3.5 in bionic over the bionic lifespan. Thus the same premise as to why we went through the painful process of OpenSSL backport do not stand.