I've discussed this with mapreri who is another person on the
backporters team.
Given the API/ABI changes that happen during OpenSSL microreleases that
break packages integrations AND that this will add a security delta
(-backports doesn't receive Security Team support so if they change and
patch a CVE in -security or -updates it remains unpatched in -backports
which introduces a significant Security risk.
Additionally, if it's only 3 or 4 commits to fix
SSL_OP_LEGACY_SERVER_CONNECT then you need to follow the SRU process,
not the Backports process.
Rejecting this backport as "Won't Fix" due to the aforementioned
reasons. Additionally, the Backporters Team are going to blacklist
`openssl` for backport requests unless it comes from Security at this
time.
** Changed in: openssl (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2003903
Title:
[BPO] openssl/3.0.5-2ubuntu2 from kinetic
Status in openssl package in Ubuntu:
Won't Fix
Bug description:
Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to
jammy.
[Impact]
From the OpenSSL 3.0 migration guide:
(https://www.openssl.org/docs/man3.0/man7/migration_guide.html)
"Secure renegotiation is now required by default for TLS connections
Support for RFC 5746 secure renegotiation is now required by default
for SSL or TLS connections to succeed. Applications that require the
ability to connect to legacy peers will need to explicitly set
SSL_OP_LEGACY_SERVER_CONNECT. Accordingly,
SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL."
------------
OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in
the openssl.cnf file. The OpenSSL team documented this option but
forgot to implement it
(https://github.com/openssl/openssl/pull/18296).
Users are recommending enabling UnsafeLegacyRenegotiation (see
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32)
(see more examples in "Other Info")
When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which
is what the previous LTS, Focal, uses).
Backporting the newer OpenSSL 3.0.5 would allow users to enable
UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled.
[Scope]
Backport OpenSSL 3.0.5-2ubuntu2 from kinetic
Backport to jammy
[Other Info]
Other places where users are recommending enabling UnsafeLegacyRenegotiation:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6
https://ubuntuforums.org/showthread.php?t=2474436&p=14094091#post14094091
https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
