sts-sponsors team mailing list archive

Thread
Date

Re: Please Review LP#1926254 openssl x509 Certificate Validation SRU

To: Dan Streetman <ddstreet@xxxxxxxxxxxxx>
From: Matthew Ruffell <matthew.ruffell@xxxxxxxxxxxxx>
Date: Mon, 3 May 2021 11:56:54 +1200
Cc: sts-sponsors@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAOZ2QJNdSGdFUf3cezQNTi1XiaW4k1YodnbQR_PmxJuRBZrvZg@mail.gmail.com>

Hi Dan,

I responded to Seth's question about the re-factor commit in openssl
3.0alpha, and it does not need to be backported.

I think we are good to go for sponsorship now, thanks!

Matthew

On Sat, May 1, 2021 at 7:52 AM Dan Streetman <ddstreet@xxxxxxxxxxxxx> wrote:
>
> On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell
> <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> >
> > Hi Security Team,
> >
> > VISA opened a case, SF308725 - "openssl unable to process the certificate on
> > Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects
> > both Focal and Groovy.
> >
> > [1] https://canonical.lightning.force.com/lightning/r/Case/5004K000005pGePQAU/view
> >
> > A commit was merged in 1.1.1f which disallows certificates which set
> > "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, but
> > this is a common configuration in certificates in the wild, particularly self
> > signed certificates.
> >
> > This was reported upstream and fixed in 1.1.1g, to relax this particular
> > scenario only, to allow it to be accepted as a valid certificate.
> >
> > More information and a full reproducer is available on the Launchpad bug,
> > LP #1926254 - "x509 Certificate verification fails when
> > basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2].
> >
> > [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254
> >
> > Due to the nature of the package, can you please review the launchpad bug and
> > debdiffs I have attached to the launchpad bug, and if everything is okay, can
> > you write an acknowledgement and approval to a comment on the launchpad bug.
> >
> > After that I will seek sponsorship to get this submitted for SRU.
> >
> > I am thinking -updates is okay, no need for -security.
>
> I added ubuntu-security to the bug also, and I'm happy to upload if
> there are no objections from security team
>
> >
> > Thanks,
> > Matthew
> >
> > --
> > Mailing list: https://launchpad.net/~sts-sponsors
> > Post to     : sts-sponsors@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~sts-sponsors
> > More help   : https://help.launchpad.net/ListHelp

References

Please Review LP#1926254 openssl x509 Certificate Validation SRU
From: Matthew Ruffell, 2021-04-30
Re: Please Review LP#1926254 openssl x509 Certificate Validation SRU
From: Dan Streetman, 2021-04-30