Hi Security Team, VISA opened a case, SF308725 - "openssl unable to process the certificate on Ubuntu 20.0" [1], about a minor regression in openssl 1.1.1f that affects both Focal and Groovy.
[1] https://canonical.lightning.force.com/lightning/r/Case/5004K000005pGePQAU/view A commit was merged in 1.1.1f which disallows certificates which set "basicConstraints=CA:FALSE,pathlen:0" as it violates the RFC for ssl certs, but this is a common configuration in certificates in the wild, particularly self signed certificates. This was reported upstream and fixed in 1.1.1g, to relax this particular scenario only, to allow it to be accepted as a valid certificate. More information and a full reproducer is available on the Launchpad bug, LP #1926254 - "x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs" [2]. [2] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254 Due to the nature of the package, can you please review the launchpad bug and debdiffs I have attached to the launchpad bug, and if everything is okay, can you write an acknowledgement and approval to a comment on the launchpad bug. After that I will seek sponsorship to get this submitted for SRU. I am thinking -updates is okay, no need for -security. Thanks, Matthew -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
