Updating openssl due to security scan

While i'm aware of Canonicals efforts to backport, i would caution that its not always done successfully, and given the nature of the project a single serious security gaff would (and will, when it happens) hurt user confidence.

SSLScan sslscan | grep -i accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 256 bits AES256-GCM-SHA384 Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA This was a remote scan without local auth, locally authenticated scans get confused by snapd, and in our case Nessus won't support the OS distribution since its Arch (needed something thin/binary still using glibc).

updating openssl due to security scan-22

There is experimental support for statically building on OS X, however this should be considered unsupported.You may need to install any dependencies required to compile Open SSL from source on OS X.SSLScan sslscan | grep -i accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 256 bits AES256-GCM-SHA384 Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA That's fair, although such a security gaff would impact Ubuntu itself as well, which would be a big deal. I'm a little nervous about the API issues that may introduce with the other components of the snap, but have not experienced them firsthand.I tend to trust the folks who are paid to keep Ubuntu safe, but my opinion isn't the only one that matters. That's fair, although such a security gaff would impact Ubuntu itself as well, which would be a big deal. I'm a little nervous about the API issues that may introduce with the other components of the snap, but have not experienced them firsthand.As such, while Nessus is right that the upstream version of SSL has those vulnerabilities, none of those CVEs actually apply to the SSL in Ubuntu (Xenial, specifically).

I was told by the security team that some scanners actually tie into the USN database to filter out such results. Indeed, I actually scan daily (although please feel free to log an issue whenever you notice one).

The original home page of sslscan is: Most of the pre-TLS protocol setup was inspired by the Open SSL s_client.c program.

The goal of this fork is to eventually merge with the original project after the STARTTLS setup is polished.

It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested.

The built version of Open SSL will be installed using will still compile (thanks to a patch from digineo/sslscan, based on the debian patch).

CVE: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 ...