Lech Sandecki
on 26 October 2023
Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.
A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1.
Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL 1.1.1 for as long as the Ubuntu release is supported, meaning 2025 for Ubuntu 20.04 LTS with standard support. For Ubuntu Pro subscribers, Canonical offers Expanded Security Maintenance (ESM). This means getting at least 10 years of security maintenance for all software bundled in the release, including OpenSSL 1.1.1. This translates to being security maintained and supported until at least 2028 for Ubuntu 18.04 LTS and at least 2030 for Ubuntu 20.04 LTS.
You might be surprised, but this security maintenance and support level for an end-of-life OpenSSL version isn’t unprecedented. Since OpenSSL 1.0.1 and OpenSSL 1.0.2 went end of life in 2016 and 2019, respectively, Ubuntu Pro customers on Ubuntu 14.04 LTS and Ubuntu 16.04 LTS have already received many additional CVE fixes, ensuring a secure and stable environment for their production and mission-critical deployments.
Backporting and testing
Maintaining this level of support is no easy feat. As with most of the software bundled with Ubuntu, the Ubuntu security team cannot simply update to the latest release of OpenSSL.
OpenSSL 3.0 is not backwards-compatible with previous releases, and many thousands of packages included with Ubuntu would need to be modified to work with it. Instead, the security team must take each security fix published by the OpenSSL developers and carefully adapt it to work with the older version of OpenSSL.
Sometimes, the effort required for this step is trivial, but more often than not, it requires rework and adaptation. Once that is done, the next step is to extensively test the update to ensure that it fixes the security issue properly and does not cause any regression to our customers and their infrastructure.
Additional security and compliance features
Ubuntu Pro is much more than OpenSSL security support. This same consistent promise applies to every software package bundled with Ubuntu, many of which are no longer supported by their upstream community. The list includes over 25,000 packages in the Ubuntu Universe repository, including Redis and Python 2.7.
For customers who need to comply with NIST, HIPAA, PCI-DSS and other compliance regimes, Ubuntu Pro also provides streamlined hardening and audit, FIPS compliance, management at scale, kernel livepatch, and optional 24/7 support.
Stay secure and compliant. Learn more at ubuntu.com/pro.