Re: [Sts-sponsors] Please Review LP#1926254 openssl x509 Certificate Validation SRU
Hi Dan, I responded to Seth's question about the re-factor commit in openssl 3.0alpha, and it does not need to be backported. I think we are good to go for sponsorship now, thanks! Matthew On Sat, May 1, 2021 at 7:52 AM Dan Streetman wrote: > > On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell > wrote: > > > > Hi Security Team, > > > > VISA opened a case, SF308725 - "openssl unable to process the certificate on > > Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects > > both Focal and Groovy. > > > > [1] > > https://canonical.lightning.force.com/lightning/r/Case/5004K05pGePQAU/view > > > > A commit was merged in 1.1.1f which disallows certificates which set > > "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, > > but > > this is a common configuration in certificates in the wild, particularly > > self > > signed certificates. > > > > This was reported upstream and fixed in 1.1.1g, to relax this particular > > scenario only, to allow it to be accepted as a valid certificate. > > > > More information and a full reproducer is available on the Launchpad bug, > > LP #1926254 - "x509 Certificate verification fails when > > basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. > > > > [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 > > > > Due to the nature of the package, can you please review the launchpad bug > > and > > debdiffs I have attached to the launchpad bug, and if everything is okay, > > can > > you write an acknowledgement and approval to a comment on the launchpad bug. > > > > After that I will seek sponsorship to get this submitted for SRU. > > > > I am thinking -updates is okay, no need for -security. > > I added ubuntu-security to the bug also, and I'm happy to upload if > there are no objections from security team > > > > > Thanks, > > Matthew > > > > -- > > Mailing list: https://launchpad.net/~sts-sponsors > > Post to : sts-sponsors@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~sts-sponsors > > More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
Re: [Sts-sponsors] Please Review LP#1926254 openssl x509 Certificate Validation SRU
On Thu, Apr 29, 2021 at 8:13 PM Matthew Ruffell wrote: > > Hi Security Team, > > VISA opened a case, SF308725 - "openssl unable to process the certificate on > Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects > both Focal and Groovy. > > [1] > https://canonical.lightning.force.com/lightning/r/Case/5004K05pGePQAU/view > > A commit was merged in 1.1.1f which disallows certificates which set > "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, > but > this is a common configuration in certificates in the wild, particularly self > signed certificates. > > This was reported upstream and fixed in 1.1.1g, to relax this particular > scenario only, to allow it to be accepted as a valid certificate. > > More information and a full reproducer is available on the Launchpad bug, > LP #1926254 - "x509 Certificate verification fails when > basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. > > [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 > > Due to the nature of the package, can you please review the launchpad bug and > debdiffs I have attached to the launchpad bug, and if everything is okay, can > you write an acknowledgement and approval to a comment on the launchpad bug. > > After that I will seek sponsorship to get this submitted for SRU. > > I am thinking -updates is okay, no need for -security. I added ubuntu-security to the bug also, and I'm happy to upload if there are no objections from security team > > Thanks, > Matthew > > -- > Mailing list: https://launchpad.net/~sts-sponsors > Post to : sts-sponsors@lists.launchpad.net > Unsubscribe : https://launchpad.net/~sts-sponsors > More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
[Sts-sponsors] Please Review LP#1926254 openssl x509 Certificate Validation SRU
Hi Security Team, VISA opened a case, SF308725 - "openssl unable to process the certificate on Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects both Focal and Groovy. [1] https://canonical.lightning.force.com/lightning/r/Case/5004K05pGePQAU/view A commit was merged in 1.1.1f which disallows certificates which set "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, but this is a common configuration in certificates in the wild, particularly self signed certificates. This was reported upstream and fixed in 1.1.1g, to relax this particular scenario only, to allow it to be accepted as a valid certificate. More information and a full reproducer is available on the Launchpad bug, LP #1926254 - "x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 Due to the nature of the package, can you please review the launchpad bug and debdiffs I have attached to the launchpad bug, and if everything is okay, can you write an acknowledgement and approval to a comment on the launchpad bug. After that I will seek sponsorship to get this submitted for SRU. I am thinking -updates is okay, no need for -security. Thanks, Matthew -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp