openssl: backport to jammy "clear method store / query cache confusion"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Simon Chopin | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
=== SRU information ===
[ATTENTION]
This SRU contains THREE changes which are listed in the section below.
[Meta]
This bug is part of a series of three bugs for a single SRU.
This ( #2033422 ) is the "central" bug with the global information and debdiff.
This SRU addresses three issues with Jammy's openssl version:
- http://
- http://
- http://
The SRU information has been added to the three bug reports and I am attaching the debdiff here only for all three.
All the patches have been included in subsequent openssl 3.0.x releases which in turn have been included in subsequent Ubuntu releases. There has been no report of issues when updating to these Ubuntu releases.
I have rebuilt the openssl versions and used abi-compliance-
I have also pushed the code to git (without any attempt to make it git-ubuntu friendly).
https:/
I asked Brian Murray about phasing speed and he concurs a slow roll-out is probably better for openssl. There is a small uncertainty because a security update could come before the phasing is over, effectively fast-forwarding the SRU. Still, unless there is already a current pre-advisory, this is probably better than a 10% phasing which is over after only a couple days anyway.
NB: at the moment openssl doesn't phase slowly so this needs to be implemented.
[Impact]
Severely degraded performance for concurrent operations compared to openssl 1.1. The performance is so degraded that some workloads fail due to timeouts or insufficient resources (noone magically has 5 times more machines). As a consequence, a number of people use openssl 1.1 instead and do not get security updates.
[Test plan]
Rafael Lopez has shared a simple benchmarks in http://
To test, follow these steps:
- run "time python3 main.py" # using the aforementioned main.py script
- apt install -t jammy-proposed libssl3
- run "time python3 main.py"
- compare the runtimes for the two main.py runs
You can run this on x86_64, Raspberry Pi 4 or any machine, and get a very large speed-up in all cases. The improvements are not architecture-
Using this changeset, I get the following numbers for ten runs on my laptop:
3.0.2:
real 2m5.567s
user 4m3.948s
sys 2m0.233s
this SRU:
real 0m23.966s
user 2m35.687s
sys 0m1.920s
As can be easily seen, the speed-up is massive: system time is divided by 60 and overall wall clock time is roughly five times lower.
In http://
The benchmark uses https:/
Finally, there are positive reports on github. Unfortunately they are not always completely targeted at these patches only and therefore I will not link directly to them but they have also been encouraging.
[Where problems could occur]
The change is spread over several patches which touch the internals of openssl. As such, the engine and provider functionality could be broken by these changes. Fortunately, in addition to upstream's code review, these patches are included in openssl 3.0.4 (iirc) and therefore in kinetic. No issue related to these changes was reported on launchpad or upstream.
However, it is possible that there were more patch dependencies than these in either 3.0.3 or 3.0.4. In that case there could be problems.
[Patches]
The patches come directly from upstream and apply cleanly.
https:/
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
* https:/
=== Original description ===
This is about SRU'ing to Jammy the patches at https:/
Changed in openssl (Ubuntu Lunar): | |
assignee: | nobody → Adrien Nader (adrien-n) |
Changed in openssl (Ubuntu Jammy): | |
milestone: | none → ubuntu-22.04.4 |
milestone: | ubuntu-22.04.4 → jammy-updates |
Changed in openssl (Ubuntu Lunar): | |
assignee: | Adrien Nader (adrien-n) → nobody |
Changed in openssl (Ubuntu Jammy): | |
assignee: | nobody → Adrien Nader (adrien-n) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in openssl (Ubuntu Lunar): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in openssl (Ubuntu Jammy): | |
assignee: | Adrien Nader (adrien-n) → Simon Chopin (schopin) |
I've created a PPA for Jammy that incorporates the fix mentionned. The details are available at https:/ /launchpad. net/~adrien- n/+archive/ ubuntu/ openssl- jammy-sru . Could you test it and confirm your issue is solved?