Comment 28 for bug 1797386

The libio-socket-ssl-perl debdiff includes the following changes to upstream tests:

(t/ecdhe.t)

+ my $protocol = $to_server->get_sslversion;
+ if ($protocol eq 'TLSv1_3') {
+ # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
+ ok("# SKIP TLSv1.3 doesn't advertize key exchange in a chipher name");
+ } else {

(t/npn.t)

+ SSL_version => 'SSLv23:!TLSv1_3', # NPN does not exist in TLSv1.3
+ # https://github.com/openssl/openssl/issues/3665

(t/session_ticket.t)

+ # FIXME - add session ticket support for TLS 1.3 too
+ SSL_version => 'SSLv23:!TLSv1_3',

[...]

+# FIXME: TLSv1.3 requires to use SSL_CTX_sess_set_new_cb() by clients instead
+# of SSL_get1_session(). Missing from Net::SSLeay.

Please discuss / account for the impact of these interface changes on the reverse-dependencies of libio-socket-ssl-perl as part of this SRU. AFAIK there have not been any specific rebuild etc. tests with the new version of libio-socket-ssl-perl as part of this transition. There will be autopkgtest results, which may or may not be comprehensive. If you expect these autopkgtests to be sufficient guard against regression in Ubuntu, please document why in the SRU bug. Also please quantify/characterize the risk of regression to third-party software deployed on bionic using libio-socket-ssl-perl in the face of these interface changes, and if you believe that risk of regression is acceptable, explain why.

Finally, please explain why this SRU introduces a hard-coded build-dependency (and runtime dependency) on libssl1.1 instead of this being resolved through shlibdeps or -dev package dependencies.