I'm sorry this bug flew under the radar. These seem to have been bugs with the stunnel4 and pure-ftpd rather than openssl but I understand why you've filled a bug for openssl too.
I can't tell if it would have made sense to initially disable TLS 1.3 by default when pushing openssl 1.1.1 but I think it caused some issues and this can be something to keep in mind for the future. As for this specific bug, I think it will be WONTFIX anyway since bionic is almost end-of-life now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1865204 Title: Multiple packages broke with openssl 1.1.1 upgrade Status in openssl package in Ubuntu: New Bug description: While I welcome the adding of security features by upgrading vital packages like openssl, there are at least two packages that I know of which ran fine with libssl 1.1.0 and do not with libssl 1.1.1. This bug has been introduced with the migration from openssl 1.1.0 to 1.1.1 in one of the last point releases. 1. stunnel4 3:5.44-1ubuntu3 stunnel4 breaks with openssl 1.1.1 (which supports TLS 1.3). I get errors when a Windows stunnel client connects to the stunnel4 daemon: Feb 20 14:10:03 peterpan.neverland stunnel[24427]: LOG3[0]: s_connect: connect ::1:3128 : Connection refused (111) This can be fixed when I manually add "MaxProtocol = TLSv1.2" to /etc/ssl/openssl.conf, showing that TLS 1.3 introduced by openssl 1.1.1 is the culprit. stunnel4 needs an update. At least for stunnel4, another fix would be to specify "sslVersion = TLSv1.2" in its config file. 2. pure-ftpd 1.0.46-1build1 Same thing here. You cannot connect once you use "tls=2" or higher if openssl 1.1.1 with TLS 1.3 is active. Only fix here I found is to limit the max protocol in openssl for all applications. pure-ftpd itself has no means of controlling the TLS version, at least not in the bionic version of it. I use Ubuntu Server 18.04.04 LTS, BTW and openssl was 1.1.1-1ubuntu2.1~18.04.5. Both problems could be fixed by backporting stunnel4 and pure-ftpd packages from Focal Fossa. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1865204/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
