Merge openssl 1.1.1 from debian unstable.
OpenSSL 1.1.1 is now out, with TLS1.3 support, and is the new upstream LTS release.
Resulting in the following changes in Ubuntu:
- openssl moves from 1.1.0 series to 1.1.1 LTS series
- TLS1.3 is enabled, and used by default, when possible. Major feature.
- All existing delta, and minimally accepted key sizes, and minimally accepted protocol versions remain the same.
Proposed package is in https://launchpad.net/~xnox/+archive/ubuntu/openssl with a rebuild of all the reverse dependencies. It demonstrates that openssl compiled as above is more compatible and has less issues than debian config. There are a few FTBFS, which are also present in cosmic-release; there are some test-suite expectations mismatch (connectivity succeeds with tls1.3 even though lower/different algos are expected); there are very little connectivity tests thus connectivity interop are the biggest issues which will be unavoidable with introducing 1.3.
===
Ubuntu delta summary versus debian unstable in this merge:
- Replace duplicate files in the doc directory with symlinks.
- debian/libssl1.1.postinst:
+ Display a system restart required notification on libssl1.1
upgrade on servers.
+ Use a different priority for libssl1.1/restart-services depending
on whether a desktop, or server dist-upgrade is being performed.
- Revert "Enable system default config to enforce TLS1.2 as a
minimum" & "Increase default security level from 1 to 2".
- Further decrease security level from 1 to 0, for compatibility with
openssl 1.0.2.
These mitigate most of the runtime incompatibilities, and ensure client<->server compatibility between 1.1.1, 1.1.0, and 1.0.2 series and thus one can continue to mix & match xenial/bionic/cosmic releases.
Big ACK from the security team. We would like to see this backported into bionic at some point and having it in cosmic first would allow us to identify and fix any issues.