| 2022-05-07 11:15:21 |
Oibaf |
bug |
|
|
added bug |
| 2022-05-07 11:16:13 |
Oibaf |
summary |
please sync openssl.cnf to ease changing security level |
[openssl3] please sync openssl.cnf to ease changing security level |
|
| 2022-05-07 16:13:40 |
Launchpad Janitor |
openssl (Ubuntu): status |
New |
Confirmed |
|
| 2022-05-11 07:36:55 |
Simon Chopin |
tags |
|
rls-kk-incoming |
|
| 2022-05-11 07:37:17 |
Simon Chopin |
tags |
rls-kk-incoming |
rls-jj-incoming rls-kk-incoming |
|
| 2022-05-12 15:17:27 |
Brian Murray |
openssl (Ubuntu): importance |
Undecided |
Medium |
|
| 2022-05-12 15:17:42 |
Benjamin Drung |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010360 |
|
| 2022-05-12 15:17:42 |
Benjamin Drung |
bug task added |
|
openssl (Debian) |
|
| 2022-05-12 15:26:01 |
Bug Watch Updater |
openssl (Debian): status |
Unknown |
Fix Released |
|
| 2022-05-12 15:53:22 |
Brian Murray |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-05-12 15:53:22 |
Brian Murray |
bug task added |
|
openssl (Ubuntu Kinetic) |
|
| 2022-05-12 15:53:22 |
Brian Murray |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-05-12 15:53:22 |
Brian Murray |
bug task added |
|
openssl (Ubuntu Jammy) |
|
| 2022-05-12 15:53:33 |
Brian Murray |
openssl (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-05-12 15:53:35 |
Brian Murray |
openssl (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2022-05-12 15:53:44 |
Brian Murray |
tags |
rls-jj-incoming rls-kk-incoming |
|
|
| 2022-05-12 16:26:06 |
Brian Murray |
tags |
|
fr-2369 |
|
| 2022-05-25 12:49:45 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~schopin/ubuntu/+source/openssl/+git/openssl/+merge/423153 |
|
| 2022-05-30 10:19:47 |
Simon Chopin |
description |
openssl.cnf as provided misses some directive, which make it a bit difficult to change security level, which since openssl 3 disables SHA1 signatures.
See also this Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010360 and the committed fix: https://salsa.debian.org/debian/openssl/-/commit/b507914c40270e32cde6afcc8af93707c225e7f4
Can you please sync this change in Ubuntu openssl?
This way one should just add a single directive to change the security level.
Thanks. |
[Impact]
The OpenSSL 3.0 lead to a lot of broken setups. Some of them are regressions, but others are simply broken due to the use of outdated algorithms, such as SHA-1 signature on certificates. Changing the security level is a common action to identify and work around such cases, and as such the user should be able to change it easily in the default config file.
The fix is to partially revert our delta that ignored a Debian patch: instead of ignoring the patch entirely, we modify it to only affect the default configuration file, and in a way that matches our patchset. Using this approach will allow us to pick up on Debian's changes more easily during subsequent merges.
[Test Plan]
To easily check that the setting is taken into account, one can use
'openssl ciphers -s'
$ openssl ciphers -v -s | wc -l # Uses the default value
30
$ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=2' | wc -l
30
$ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=3' | wc -l
24
$ vim /etc/ssl/openssl.cf # edit the config file to bump the seclevel to 3
$ openssl ciphers -v -s | wc -l # Uses the new value from the config file
24
[Where problems could occur]
The changes could break the overall configuration of OpenSSL!
[Origin report]
openssl.cnf as provided misses some directive, which make it a bit difficult to change security level, which since openssl 3 disables SHA1 signatures.
See also this Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010360 and the committed fix: https://salsa.debian.org/debian/openssl/-/commit/b507914c40270e32cde6afcc8af93707c225e7f4
Can you please sync this change in Ubuntu openssl?
This way one should just add a single directive to change the security level.
Thanks. |
|
| 2022-06-04 11:26:20 |
Launchpad Janitor |
openssl (Ubuntu Kinetic): status |
Confirmed |
Fix Released |
|
| 2022-06-08 15:34:06 |
Łukasz Zemczak |
openssl (Ubuntu Jammy): status |
Confirmed |
Fix Committed |
|
| 2022-06-08 15:34:07 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-06-08 15:34:09 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2022-06-08 15:34:12 |
Łukasz Zemczak |
tags |
fr-2369 |
fr-2369 verification-needed verification-needed-jammy |
|
| 2022-06-10 13:34:48 |
Oibaf |
tags |
fr-2369 verification-needed verification-needed-jammy |
fr-2369 verification-done-jammy verification-needed |
|
| 2022-06-20 14:32:33 |
Launchpad Janitor |
openssl (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2022-06-20 14:32:43 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
