20.04 LTS and OpenSSL 1.1.1 EOL

Dear Peter,

Ubuntu package manager, along with the core OS, is designed to provide security updates and bug fixes to the installed packages, including OpenSSL. As the end of standard support for Ubuntu 20.04 is set for April 2025, you can expect the package manager to release updates for OpenSSL to address security vulnerabilities and ensure the stability of the system.

Hope so this will work for you!

Best regards,
Bryce June

Thank you both for your responses - I'm aware that OpenSSL v1.1.1 will be end of life in Sept 2023 but that an option to purchase a premium support contract will extended support (i.e. ongoing access to security fixes) for 1.1.1 beyond its public EOL date.

I am also aware that Ubuntu 20.04 LTS will receive standard support through April 2025, providing package manager updates for OpenSSL.

What I am NOT clear on is whether Ubuntu will proceed to pay for the security fixes for the OpenSSL 1.1.1 version branch and distribute them via package manager or whether Ubuntu will utilize package manager to deploy v3.1 (the v3 branch). Can someone please help me understand what to expect? THANKS!

I suggest upgrade Ubuntu 20.04 to 22.04.
https://ubuntu.com/tutorials/upgrading-ubuntu-desktop#1-before-you-start

openssl for 22.04 is currently on 3.0.2
https://packages.ubuntu.com/jammy/openssl

This would satisfy both EOL issues.

-- I understand from the responses that Ubuntu 20.04 will continue to be supported through April 2025
-- I understand that OpenSSL 1.1.1 branch will be EOL in Sept 2023
-- I understand that upgrading from Ubuntu 20.04 to 22.04 will upgrade my openssl to 3.0.2
>>> What I do NOT understand is what will happen if I continue to run Ubuntu 20.04 after Sept 2023. Will Ubuntu provide the security patches needed for the 1.1.1 branch? Will Ubuntu upgrade the OpenSSL package from the 1.1.1 branch to the v3 branch? I would greatly appreciate a response explicitly detailing what to expect.

If I look at a small snippet from the discussion of the openssl transition for Ubuntu 22.04, https://discourse.ubuntu.com/t/openssl-3-0-transition-plans/24453 then I rate it very unlikely that the same exercise with all its problems will also be done for Ubuntu 20.04.

My expectation is that Ubuntu will keep openssl 1.1.1 in Ubuntu 20.04 and and will provide updated (sub-)version with patches whenever necessary (1.1.1f-1ubuntu2.19 followed by 1.1.1f-1ubuntu2.20, -21, -22 and so on).

Whoever does not want to stay on openssl 1.1.1 should do a release upgrade to Ubuntu 22.04 (or higher).

Is there more clarification regarding how openssl 1.1.1 will be supported after upstream EOL? I've looked for an official statement on the patching strategy, but there doesn't seem to be any clarity on this from an official source outside of speculations above.
Will Ubuntu develop their own security updates outside of openssl ESM? Will Ubuntu pay for ESM and port changes? Move to 3.0? I hope we can get some answers on this to ease our minds or to instigate some precautionary actions on user end. Thank you.

Hello Joep, Peter,

There are no plans to offer OpenSSL 3 in Focal or previous versions. Porting applications to OpenSSL 3 is significant effort and brings significant risk of regressions.

We currently have no plans to buy upstream OpenSSL extended support and redistribute their work. (I think there's several good reasons to try this, most importantly to support the upstream community; however, this would be entirely new territory for us. It'd involve a lot of work from a lot of people to make this happen, and we might never break-even on the costs involved, so I don't think it's likely. But it would feel good.)

We plan to release security updates for OpenSSL that we backport ourselves, just as we've always done for previous versions of OpenSSL -- and thousands of other packages where our versions no longer receive security support from their upstream communities. As issues are discovered in new versions, we investigate each issue to decide if our older versions are affected and what priority we should assign to the issue, backport fixes as appropriate, test, and weigh the decision to release fixes against the regression potential.

Of course, if you would rather be using an OpenSSL version that is derived from a version with ongoing upstream OpenSSL support, Bernard and Manfred have good advice: upgrade to Jammy. (Ask your application vendors if your applications are ready for Python 3, OpenSSL 3, etc, first. You, or they, may not be ready for one of the necessary transitions, but time grinds on in an unforgiving and cruel fashion. It would also be a good time to ask your vendors about their post-quantum plans.)

Thanks

The same applies to Bionic: we're not intending to upgrade OpenSSL wholesale, and we'll continue backporting fixes as appropriate.

Thanks

We have now published a blog post in case your organization would rather something more formal looking than Launchpad Answers:

https://canonical.com/blog/running-openssl-1-1-1-after-eol-with-ubuntu-pro

Thanks