** Changed in: openssl Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1018998
Title: SSL_OP_ALL incorrectly disables TLS 1.1 Status in OpenSSL: Fix Released Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Precise: Fix Released Status in openssl source package in Quantal: Fix Released Bug description: From the openssl 1.0.1b changelog: *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately mean any application compiled against OpenSSL 1.0.0 headers setting SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 0x10000000L Any application which was previously compiled against OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 will need to be recompiled as a result. Letting be results in inability to disable specifically TLS 1.1 and in client context, in unlike event, limit maximum offered version to TLS 1.0 Any package in the repo that got compiled on oneiric, or on precise before 2012-03-24 02:03:49 EDT got compiled with SSL_OP_ALL set to 0x80000FFFL, and is telling openssl on precise to disable tls v1.1. openssl 1.0.1 had SSL_OP_ALL set to 0x80000BFFL. We have two choices: 1- We rebuild all packages that are in the archive that were built before 2012-03-24 02:03:49 EDT so they set SSL_OP_ALL to 0x80000BFFL. Unfortunately, that means when we push 1.0.1b to quantal, they will no longer be able to use SSL_OP_NO_TLSv1_1 to disable tlsv1.1 during runtime. 2- We issue an openssl security update for precise and quantal that switches SSL_OP_NO_TLSv1_1 to 0x10000000L, as in 1.0.1b. This means old applications will not disable tls v1.1 by accident, but will no longer be able to use SSL_OP_NO_TLSv1_1 to disable tlsv1.1 during runtime. If some applications are known to rely on runtime disabling of tls v1.1, we can simply rebuild them once the openssl security update has been pushed out. To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1018998/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp