Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.

Lech Sandecki

on 26 October 2023

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1.

Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL 1.1.1 for as long as the Ubuntu release is supported, meaning 2025 for Ubuntu 20.04 LTS with standard support. For Ubuntu Pro subscribers, Canonical offers Expanded Security Maintenance (ESM). This means getting at least 10 years of security maintenance for all software bundled in the release, including OpenSSL 1.1.1. This translates to being security maintained and supported until at least 2028 for Ubuntu 18.04 LTS and at least 2030 for Ubuntu 20.04 LTS.

You might be surprised, but this security maintenance and support level for an end-of-life OpenSSL version isn’t unprecedented. Since OpenSSL 1.0.1 and OpenSSL 1.0.2 went end of life in 2016 and 2019, respectively, Ubuntu Pro customers on Ubuntu 14.04 LTS and Ubuntu 16.04 LTS have already received many additional CVE fixes, ensuring a secure and stable environment for their production and mission-critical deployments.

Backporting and testing

Maintaining this level of support is no easy feat. As with most of the software bundled with Ubuntu, the Ubuntu security team cannot simply update to the latest release of OpenSSL.

OpenSSL 3.0 is not backwards-compatible with previous releases, and many thousands of packages included with Ubuntu would need to be modified to work with it. Instead, the security team must take each security fix published by the OpenSSL developers and carefully adapt it to work with the older version of OpenSSL.

Sometimes, the effort required for this step is trivial, but more often than not, it requires rework and adaptation. Once that is done, the next step is to extensively test the update to ensure that it fixes the security issue properly and does not cause any regression to our customers and their infrastructure.

Additional security and compliance features 

Ubuntu Pro is much more than OpenSSL security support. This same consistent promise applies to every software package bundled with Ubuntu, many of which are no longer supported by their upstream community. The list includes over 25,000 packages in the Ubuntu Universe repository, including Redis and Python 2.7. 

For customers who need to comply with NIST, HIPAA, PCI-DSS and other compliance regimes, Ubuntu Pro also provides streamlined hardening and audit, FIPS compliance, management at scale, kernel livepatch, and optional 24/7 support.

Stay secure and compliant. Learn more at ubuntu.com/pro.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

How Canonical enables PCI-DSS compliance

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control...

How Ubuntu keeps you secure with KEV prioritisation

The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a...

Ubuntu Explained: How to ensure security and stability in cloud instances—part 3

Applying updates across a fleet of multiple Ubuntu instances is a balance of security and service uptime. We explore best practices to maximise stability.