← Back to team overview

pkg-perl-maintainers team mailing list archive

  1. pkg-perl-maintainers team
  2. Mailing list archive
  3. Message #03823

[Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

  Thread PreviousDate PreviousThread Next 
Hello Dimitri, or anyone else affected,

Accepted libwww-perl into bionic-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/libwww-
perl/6.31-1ubuntu0.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Description changed:

  [Impact]
  
   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.
  
   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to be
  rapidly adopted due to increased set of supported hashes & algoes, as
  well as improved handshake [re-]negotiation.
  
   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.
  
   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some software
  is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.
  
  [Test Case]
  
   * Rebuild all reverse dependencies
  
   * Execute autopkg tests for all of them
  
   * Clamp down to TLS v1.2 software that does not support TLS v1.3 (e.g.
  mongodb)
  
   * Backport TLS v1.3 support patches, where applicable
  
  [Test cases for the python updates]
  
  python3.7 is a preview in bionic as a non-supported/non-default
  version of python3. Passing it's own autopkgtests is sufficient
  validation for python3.7. It includes a point release update, with
  OpenSSL 1.1.1 compat and features.
  
  python3.6 not only has OpenSSL 1.1.1 compat and features patches, but
  also includes a point release update to 3.6.8. It has been part of the
  full-archive rebuild and regression analysis. Autopkgtests were
  triggered for python3.6 and python3-defaults with regressions already
  fixed in the individual packages as appropriate.
  
  python2.7 has the update from .15~rc1 to .15 final, with OpenSSL 1.1.1
  compat only. It has been part of the full-archive rebuild and
  regression analysis. Autopkgtests were triggered for python2.7 and
  python-defaults with regressions already fixed in the individual
  packages as appropriate.
  
  The archive rebuilds done, were commulative with OpenJDK 11, OpenSSL 1.1.1 and python point releases as seen in:
  http://people.canonical.com/~doko/ftbfs-report/test-rebuild-20181222-bionic.html
  http://people.canonical.com/~doko/ftbfs-report/test-rebuild-20181222-test-bionic.html
  
  And analyzed in
  https://docs.google.com/spreadsheets/d/1tMIwlwoHH_1h5sbvUbNac6-HIPKi3e0Xr8ebchIOU1A/edit#gid=147857652
  
  [ Test case libwww-perl (and deps) regression ]
  
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914034
  
- apt install liblwp-protocol-https-perl libio-socket-ssl-perl libnet-
- ssleay-perl
- 
- perl -MLWP::UserAgent -e
- 'LWP::UserAgent->new->post("https://facebook.com";, { data => "foo" }) or
- die'
+ 1. apt install liblwp-protocol-https-perl
+ 2. enable -proposed
+ 3. apt install libio-socket-ssl-perl libnet-ssleay-perl
+ 4. perl -MLWP::UserAgent -e 'LWP::UserAgent->new->post("https://facebook.com";, { data => "foo" }) or die'
  
  [Regression Potential]
  
   * Connectivity interop is the biggest issues which will be unavoidable
  with introducing TLS v1.3. However, tests on cosmic demonstrate that
  curl/nginx/google-chrome/mozilla-firefox connect and negotiate TLS v1.3
  without issues.
  
   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side software
  or by backporting relevant support fixes
  
   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3
  
   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. Solution is client change to set hostname, or to clamp down the client to TLSv1.2.
  
     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.
  
     - non-application data records. TLSv1.3 sends more of these, when compared with previous versions, and some applications may not handle this correctly. Resulting in application data not being available, when previously expected. Mitigation around these involve disabling/enabling SSL_MODE_AUTO_RETRY or setting max protocol version to TLSv1.2. For example see discussion identified in the perl stack https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914034
  Similar hangs are possible with prior versions of TLS as well, it is however easier to trigger this with TLSv1.3.
  
   * Deprecated npn extenstion does not exist in TLSv1.3 implementation.
  
   * This update bundles python 3.6 and 3.7 point releases
  
  [Other Info]
  
   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092
  
   * TLS v1.3 support in NSS is expected to make it to 18.04 via security
  updates
  
   * TLS v1.3 support in GnuTLS is expected to be available in 19.04
  
   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473
  
  [Autopkgtest Regressions]
  
  dovecot/armhf - flakey
  
  libnet-ssleay-perl - awaiting sru accept into proposed of
  libnet-ssleay-perl and libio-socket-ssl-perl due to fixes and
  versioned breaks.
  
  linux* - rebuild testcases passes (for some edge flavours the build
  fails in non-ssl portions of the build), ubuntu-regression-suite
  testcase fails for a few variants but should have been skipped (in
  progress to be fixed in
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1823056)
  
  openvswitch/i386 - extremely flakey, errors out or fails mostly

** Changed in: libwww-perl (Ubuntu Bionic)
       Status: New => Fix Committed

** Changed in: libwww-perl (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libwww-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/1797386/+subscriptions
  Thread PreviousDate PreviousThread Next