Please provide ED25519 support in 18.04 OpenSSL

Bug #1780807 reported by Michael Steffens on 2018-07-09
This bug report is a duplicate of:  Bug #1797386: [SRU] OpenSSL 1.1.1 to 18.04 LTS. Edit Remove
126
This bug affects 27 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

Current libss1.1 version in Bionic is 1.1.0g-2ubuntu4.1 and lacking support for the ED25519 signature algorithm.

As ED25519 is quickly gaining traction as most demanded and preferred elliptic curve algorithm, it would be a substantial issue not to have any support for it in the remaining lifetime of Ubuntu LTS released most recently.

OpenSSL is introducing ED25519 with their 1.1.1 release, which is currently in beta (openssl-1.1.1-pre8 as of today). I suggest to upgrade Bionic libss1.1 to OpenSSL 1.1.1, once finally released by OpenSSL.

description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Alyssa Rowan (akr) wrote :

Should add to this: 1.1.1 is the LTS version of OpenSSL; 1.1.0 is no longer supported upstream. It's not going to be practical to backport anything to 1.1.0.

1.1.1 has no API breakage beyond 1.1.0 (which you already did) and you should upgrade this during bionic. 1.1.1 also adds TLSv1.3.

If you don't, a LOT of people are going to be running 18.04 with frankenpatches.

Jean-Daniel Dupas (xooloo) wrote :

Yes. As Bionic is an LTS release, it would be wise to include the OpenSSL LTS release in it, which is version 1.1.1.

ruffsl (roxfoxpox) wrote :

I also agree, given OpenSSL Version 1.1.0 will be supported until one year after the release of 1.1.1 (i.e 2019/09/11), migrating to 1.1.1 LTS would be the best course of action for 18.04 LTS (EOL 2023/04):

https://www.openssl.org/policies/releasestrat.html

Quoting from yesterday's 1.1.1 release announcement:

> Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time.

https://www.openssl.org/blog/blog/2018/09/11/release111

Perhaps this warrants its own new ticket?

Wuttigf (wuttigf) wrote :

I also agree, with openSSL 1.1.0 is a bug when using RSA_PSS signed CA´s in Apaache to check Client Auth. see http://mail-archives.apache.org/mod_mbox/httpd-users/201809.mbox/%3cOFC4116D92.B8C3F520-ONC1258313.002D0EB2-C1258313.002D4B68@LocalDomain%3e

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions