OpenSSL downgrade testing

[oerdnj]

This is a placeholder bug to discuss the testing of enforced OpenSSL downgrade to the distribution version.

Here are the more specific instructions:

Ubuntu

1. install your PHP environment as close as to the production as possible
2. add-apt-repository ppa:ondrej/php-qa
3. apt update && apt -y dist-upgrade && apt -y dist-upgrade # the last command should downgrade openssl packages
4. apt-cache policy libssl1.1

Debian

1. install your PHP environment as close as to the production as possible
2. curl -sSL https://packages.sury.org/php-qa/README.txt | bash -x
3. apt update && apt -y dist-upgrade && apt -y dist-upgrade # the last command should downgrade openssl packages
4. apt-cache policy libssl1.1

[oerdnj]

Thats not only this dependency. There are more.

I really don't know what are you trying to say. Yes, there are dependencies on libssl1.1, that's normal and expected.

And if you don't downgrade, the next time there's a security update for OpenSSL you won't get it unless you downgrade the package to distribution provided version.

[FuelKubitox]

Im just confused. I would expect an update to a newer version instead of a downgrade. I saw that there is a package libssl3. Isnt it ready to be stable? Im not very experienced with it, but when a package reaches his end of life, then normally there is another version that takes place. I never saw that, that we need to downgrade to an older version, just because it has long term service. It just feels a bit strange for me, especially when its something that has to do with security things like ssl. Or what is the reason to downgrade? I just read that Debian 9 Stretch LTS reaches end of life.

Another thing i dont get, is that information official? First i thought i got that message only because i use your repository deb.sury.org. And this repository i needed to import explicit to get the php7.4 updates and seems not be part of the official repositories.

Maybe you understand my confusion. Just feel a bit insecure in this and dont know what i expect, when i just use apt dist-upgrade.

[oerdnj]

Another thing i dont get, is that information official?

This is official information for deb.sury.org repositories. I stopped providing custom OpenSSL packages and prepared path to safely downgrade to OpenSSL packages provided by the distributions.

[FuelKubitox]

Ohhh.... then after i added your repository and updated/installed everything, apt installed an openssl package that you provided? I didnt noticed that recently. And the official package from debian is the libssl1.0? Ok now i understand. Sorry then, just tried to understand everything.

Update: I saw that libssl1.1 is also delivered by debian itself at the moment.

[DevSysEngineer]

This version will break TLS 1.3 on Debian 9 servers.

apt policy libssl1.1
libssl1.1:
  Installed: 1.1.1j-1+0~20210301.27+debian9~1.gbp2578a0
  Candidate: 1.1.1j-1+0~20210301.27+debian9~1.gbp2578a0
  Version table:
 *** 1.1.1j-1+0~20210301.27+debian9~1.gbp2578a0 100
        100 /var/lib/dpkg/status
     1.1.0l-1~deb9u3 500
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
     1.1.0l-1~deb9u1 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages

TLS 1.3 is added in OpenSSL 1.1.1, after updating the package it will downgrade to 1.1.0l. Debian 9 is not EOL and still getting updates, so I am little bit confusion why you are removing newer, safer and beter version of OpenSSL for old OS's?

[oerdnj]

This version will break TLS 1.3 on Debian 9 servers.

Yes, and I am saying that in the post.

Why you are removing newer, safer and beter version of OpenSSL for old OS's?

Because I don't want to maintain OpenSSL in the base set of packages. The distributions have teams to watch for security updates and having a custom copy of OpenSSL is unnecessary responsibility.

[FuelKubitox]

Ok i made the apt dist-upgrade now on my debian 10 buster system and everything seems ok.

Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be DOWNGRADED: libssl-dev libssl1.1 openssl 0 upgraded, 0 newly installed, 3 downgraded, 0 to remove and 0 not upgraded. Need to get 4,176 kB of archives. After this operation, 59.4 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://security.debian.org/debian-security buster/updates/main amd64 libssl-dev amd64 1.1.1d-0+deb10u5 [1,794 kB] Get:2 http://security.debian.org/debian-security buster/updates/main amd64 libssl1.1 amd64 1.1.1d-0+deb10u5 [1,539 kB] Get:3 http://security.debian.org/debian-security buster/updates/main amd64 openssl amd64 1.1.1d-0+deb10u5 [844 kB] Fetched 4,176 kB in 0s (28.3 MB/s) Preconfiguring packages ... dpkg: warning: downgrading libssl-dev:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5 (Reading database ... 54149 files and directories currently installed.) Preparing to unpack .../libssl-dev_1.1.1d-0+deb10u5_amd64.deb ... Unpacking libssl-dev:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ... dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5 Preparing to unpack .../libssl1.1_1.1.1d-0+deb10u5_amd64.deb ... Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ... dpkg: warning: downgrading openssl from 1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0 to 1.1.1d-0+deb10u5 Preparing to unpack .../openssl_1.1.1d-0+deb10u5_amd64.deb ... Unpacking openssl (1.1.1d-0+deb10u5) over (1.1.1j-1+0~20210301.25+debian10~1.gbp2578a0) ... Setting up libssl1.1:amd64 (1.1.1d-0+deb10u5) ... Setting up libssl-dev:amd64 (1.1.1d-0+deb10u5) ... Setting up openssl (1.1.1d-0+deb10u5) ... Installing new version of config file /etc/ssl/openssl.cnf ... Processing triggers for man-db (2.8.5-2) ... Processing triggers for libc-bin (2.28-10) ...

TLS 1.3 is added in OpenSSL 1.1.1, after updating the package it will downgrade to 1.1.0l. Debian 9 is not EOL and still getting updates, so I am little bit confusion why you are removing newer, safer and beter version of OpenSSL for old OS's?

Debian 9 has his end of life on january 2022. If you are still using it, you maybe have the chance to upgrade to bullseye later. But for now maybe just avoid the downgrade then. Or build it manually.

[DevSysEngineer]

Debian 9 has his end of life on January 2022

I know, but upgrading is not so easy as is. I have still some time for January 2022.

Because I don't want to maintain OpenSSL in the base set of packages. The distributions have teams to watch for security updates and having a custom copy of OpenSSL is unnecessary responsibility.

But TLS 1.3 increase more safety. In this times of period is privacy with very important and how higher the TLS version, how more secure the the connection is. I really agree that new OS's doesn't need custom packages, but old OS's that is stuk on version 1.1.0 really want more better and safer version. This step will decrease TLS 1.3 adoption..

[oerdnj]

I know, but upgrading is not so easy as is. I have still some time for January 2022.

That's your cost and your decision to make. Not shipping OpenSSL 1.1.1 for Debian 9 Stretch was my decision as that was cost that I no longer want to carry as the benefit now no longer outweight the risks.

[FuelKubitox]

I know, but upgrading is not so easy as is. I have still some time for January 2022.

Depending on which and how many services you are running an upgrade can be awfull. I was in that situation too. Sometimes i wish debian would have a rolling release system, but only with stable packages. But that is very hard, because of the major changes sometimes.

Maybe try to upgrade as early as you can and dont do it in the last seconds.

[DevSysEngineer]

Depending on which and how many services you are running an upgrade can be awfull. I was in that situation too. Sometimes i wish debian would have a rolling release system, but only with stable packages. But that is very hard, because of the major changes sometimes.

Maybe try to upgrade as early as you can and dont do it in the last seconds.

In the real world is upgrading servers that's is running in production environment little bit difficult, specifically when software is compiled for Debian 9. Personally, I am concerned that the creator of Sury does not consider privacy as important and that a lot of servers can no longer use TLS 1.3

[oerdnj]

Personally, I am concerned that the creator of Sury does not consider privacy as important and that a lot of servers can no longer use TLS 1.3

This kind of behavior is not welcome here. This is the last warning.

[oerdnj]

Here's the list of logical fallacies for the reference: https://owl.purdue.edu/owl/general_writing/academic_writing/logic_in_argumentative_writing/fallacies.html

Don't use them in any discussion, it's just rude and it will not help you prove your point.

[stathis]

@oerdnj Having your openssl version was very convenient for test systems. Any plans on creating a repo just for that?

[oerdnj]

Any plans on creating a repo just for that?

Not really, but here's the repository with extra patches needed for the backport: https://salsa.debian.org/ondrej/openssl

git-buildpackage can be used to build the packages.

Note: I am not going to update the repository for new OpenSSL versions.

[Dubbeldrank]

I do have a problem with this change, i use your php repository and i use another one which gives me the latest openssl. The problem is have with it is that it also downgrades the version i was running from the other repository.

It basically comes down to this: dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1j-5myguard2~buster to 1.1.1d-0+deb10u5 dpkg: warning: downgrading openssl from 1.1.1j-5myguard2~buster to 1.1.1d-0+deb10u5

I'm fine with your decision, but i'm not fine with your solution which downgrades packages from other repositories.

[oerdnj]

@Dubbeldrank for your specific case, just delete the php-common.pref file, it won't get reinstalled.

[Dubbeldrank]

@Dubbeldrank for your specific case, just delete the php-common.pref file, it won't get reinstalled.

Thanks for your quick response!

[oerdnj]

Any other solution I came up either didn't work or they would be even more intrusive and fragile at the same time as they would enforce an exact version to be installed. The custom apt_preferences is easy to override or reconfigure.

[oerdnj]

Also if you want to prevent the file to be even installed in the first place then just put an empty file before the upgrade, the standard Debian conffile handling mechanism will kick in and ask you whether you want to use local or maintainer file.

But as this needs apt upgrade and then apt dist-upgrade you can delete the file just after php-common (or apache2-data or nginx-common) gets upgraded.

[stathis]

@oerdnj Thanks. I will be using this repo in the meanwhile for my tests: https://launchpad.net/~savoury1/+archive/ubuntu/backports

[oerdnj]

Well, definitely use apt pinning to just cherry-pick what you need, it's quite huge pile of packages...

[gurumelo]

After downgrade File "/usr/local/lib/python3.8/ssl.py", line 98, in import _ssl # if we can't import it, let the error propagate ImportError: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /usr/local/lib/python3.8/lib-dynload/_ssl.cpython-38-x86_64-linux-gnu.so)

[oerdnj]

@gurumelo pip3 install --force-reinstall ssl?

[gurumelo]

pip3 install --force-reinstall ssl

WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/ Could not fetch URL https://pypi.org/simple/ssl/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/ssl/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping

After downgrade

/usr/lib/x86_64-linux-gnu$ ls libssl*
libssl3.so       libssl.so        libssl.so.1.0.2  
libssl.a         libssl.so.1.0.0  libssl.so.1.1   

[oerdnj]

Then remove the module (pip3 uninstall ssl) and install it again if you really need it instead of the packaged version. But you should not need it at all in python3.

[realizelol]

I don't get it, whats the reason of downgrading openssl1.1.1j to openssl1.1.1f (ubuntu focal 20.04) ?

best regards realizelol

[morph027]

I don't get it, whats the reason of downgrading openssl1.1.1j to openssl1.1.1f (ubuntu focal 20.04) ?

best regards realizelol

https://www.patreon.com/posts/enforced-openssl-48703169

[gurumelo]

Then remove the module (pip3 uninstall ssl) and install it again if you really need it instead of the packaged version. But you should not need it at all in python3.

Thanks @oerdnj . I had this problem on jailkit i recompiled python3.8 and jk_cp renew to jail of /usr/local/lib/python3.8

[oerdnj]

@gurumelo Oh, ok, so it wasn't pip3 module, but full python3.8? Then it makes sense now.

[gurumelo]

@gurumelo Oh, ok, so it wasn't pip3 module, but full python3.8? Then it makes sense now.

Yes, i think

[realizelol]

I don't get it, whats the reason of downgrading openssl1.1.1j to openssl1.1.1f (ubuntu focal 20.04) ? best regards realizelol

https://www.patreon.com/posts/enforced-openssl-48703169

Ty @morph027.

So oerdnj don't want to build these packages anymore? (not even for example security reasons?)

Changelog

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841)
Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840)
Fixed SRP_Calc_client_key so that it runs in constant time

Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts
Oracle Developer Studio will start reporting deprecation warnings

Or are the apache/nginx developers and the linux distrubutors are communicating much more so that nginx and apache will always have the "feature richest" (but not the securest) version of openssl?

I've never had any issues with the maintaned package by oerdnj.

best regards realizelol

[oerdnj]

The OpenSSL package provided by the distribution does have all the security fixes.

[oerdnj]

I've never had any issues with the maintaned package by oerdnj.

If there's a security issue in PHP and I fail to update the package in time, it affects only the PHP.

But if there's a security issue in OpenSSL and I fail to update the package in time, it affects pretty much everything that's exposed to the network. The security vulnerabilities in OpenSSL are also much lower in the networking stack.

[realizelol]

The OpenSSL package provided by the distribution does have all the security fixes.

&

I've never had any issues with the maintaned package by oerdnj.

If there's a security issue in PHP and I fail to update the package in time, it affects only the PHP.

But if there's a security issue in OpenSSL and I fail to update the package in time, it affects pretty much everything that's exposed to the network. The security vulnerabilities in OpenSSL are also much lower in the networking stack.

Thank you! Downgrade in process.. apt update && apt full-upgrade --allow-downgrades -y && reboot

successful :P

best regards realizelol

[LtSich]

Hi, I had to downgrade this morning and now (at least on 1 server deb9) I have this error each time I try to do anything with php-cli

PHP Warning: PHP Startup: Unable to load dynamic library 'curl.so' (tried: /usr/lib/php/20180731/curl.so (/usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /usr/local/lib/libcurl.so.4)), /usr/lib/php/20180731/curl.so.so (/usr/lib/php/20180731/curl.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

Apparently php doesn't like that downgrade. Any idea on how I can fix that ?

[oerdnj]

Apparently php doesn't like that downgrade.

No.

/usr/local/lib/libcurl.so.4

This ^^^

[LtSich]

Yeah, I have understand that there is something wrong with curl, but this was working fine before the downgrade... The other server on deb9 are working fine... And I don't see atm how to fix that... Have try to reinstall curl, php-curl, that doesn't help at all...

[oerdnj]

I can't teach you the basics of system administration here. You should not compile and install your own libraries if you don't understand the basic concepts.

[LtSich]

Yeah sorry, I had forget that this server use a custom curl lib... I have remove that and fix the issue. Sorry, should have take more time to search before posting here, but sunday morning... Didn't really want to search honestly...

[oerdnj]

There will be no further updates to OpenSSL packages from DEB.SURY.ORG. Please make sure that you are using OpenSSL packages provided by your distribution before 25. March 2021.

The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1k.

This release will be made available on Thursday 25th March 2021 between 1300-1700 UTC.

OpenSSL 1.1.1k is a security-fix release. The highest severity issue fixed in this release is HIGH: https://www.openssl.org/policies/secpolicy.html#high

Yours

The OpenSSL Project Team

[oerdnj]

There will be no further updates to OpenSSL packages from DEB.SURY.ORG.

With teeny tiny exception of Ubuntu 16.04 LTS where no update would mean leaving existing users vulnerable because it's not possible to downgrade there. That said - I am reminding you again that rather than relying on this, you should rather upgrade to Ubuntu 20.04 (via 18.04).

[teutat3s]

One note regarding the news section:

Debian 9 Stretch LTS will reach end-of-line in June 2022 and it is
    using OpenSSL 1.1.0 (which just means TLS 1.3).

Maybe I've spotted a typo, because OpenSSL 1.1.0 on stretch means TLS 1.2 AFAIK (confirmed during my current testing while wondering / debugging why TLSv1.3 stopped working with nginx on debian stretch)

[DevSysEngineer]

One note regarding the news section:

Debian 9 Stretch LTS will reach end-of-line in June 2022 and it is
    using OpenSSL 1.1.0 (which just means TLS 1.3).

Maybe I've spotted a typo, because OpenSSL 1.1.0 on stretch means TLS 1.2 AFAIK (confirmed during my current testing while wondering / debugging why TLSv1.3 stopped working with nginx on debian stretch)

TLSv1.3 is not supported in the default OpenSSL version of Debian 9. After installing the downgrade you will lose this feature.

[MatthiasKuehneEllerhold]

Small problem I've encountered: Some servers have the debian testing repository enabled but with a very low priority (10). We want to have specific from there but not everything. Updating (well downgrading) openssl on these servers leads to the installation of the "testing" version instead of the stable version.

# apt-cache policy openssl
openssl:
  Installed: 1.1.1d-0+deb10u5
  Candidate: 1.1.1j-1
  Version table:
     1.1.1j-1 1000
         10 http://debian.inf.tu-dresden.de/debian testing/main amd64 Packages
 *** 1.1.1d-0+deb10u5 1000
        500 http://security.debian.org buster/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1d-0+deb10u4 1000
        500 http://debian.inf.tu-dresden.de/debian buster/main amd64 Packages

apt-cache policy reveals that /etc/apt/preferences.d/php-common.pref is responsible for the priority of 1000.

Commenting lines 409 - 411 (Debian bullseye) fixes this problem!

Everything above also affects libssl1.1.

For me it seems like we'd need a different pref file for each distribution (stretch, buster, bullseye, ubuntun-variants, ...) that each just pins the packages for its distribution instead of one file to rule them all?

In the meantime: Can we delete the .pref file after the downgrade? Whats your policy for it? Will you delete it with a next version?

[MatthiasKuehneEllerhold]

Another solution (at least for us): rename our /etc/apt/preferences.d/testing.pref to /etc/apt/preferences.d/99-testing.pref so it gets evaluated after your php-common.pref. Maybe you could rename yours to 00-php-common.pref to ensure it gets evaluated first before every other .pref file?

Ignore this sorry - does not work despite being advertised in the debian wiki.

Turns out we dont need the testing packages anymore and Ive disabled the testing repo and manually downgraded the packages to 1.1.1d. So theres no problem for us, but maybe others are in a similar situtation that we were?

[oerdnj]

In the meantime: Can we delete the .pref file after the downgrade? What's your policy for it? Will you delete it with the next version?

Yes, it will get deleted after a reasonable amount of time will pass - I was thinking giving it time after Ubuntu Xenial is gone at the end of April (e.g. remove the pref file in the May update batch).

[oerdnj]

For me, it seems like we'd need a different pref file for each distribution (stretch, buster, bullseye, ubuntu-variants, ...) that each just pins the packages for its distribution instead of one file to rule them all?

I was thinking about it, but I was afraid that people might have a bit of a mix of distributions, leaving them with a vulnerable version because the rules won't apply.

Basically, if you know how to add testing on top of stable with a custom preferences file, you are in a better position to solve any problems that arise rather than folks with mix&match distribution based on something they have read on the Internet.

[user67x]

Hello,

It seems I can not downgrade: `# apt-cache policy libssl1.1 libssl1.1: Installed: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Candidate: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Version table: *** 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status

add-apt-repository ppa:ondrej/php-qa

This is area for experimenting with future releases of PHP and future release of packaging.

You need both ppa:ondrej/php and ppa:ondrej/php-qa, e.g.:

apt-get install -y language-pack-en-base

LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php-qa

More info: https://launchpad.net/~ondrej/+archive/ubuntu/php-qa Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring /tmp/tmpje962g_6/secring.gpg' created gpg: keyring/tmp/tmpje962g_6/pubring.gpg' created gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com gpg: /tmp/tmpje962g_6/trustdb.gpg: trustdb created gpg: key E5267A6C: public key "Launchpad PPA for Ondřej Surý" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK

apt update && apt -y dist-upgrade && apt -y dist-upgrade

Hit:1 http://fr.archive.ubuntu.com/ubuntu xenial InRelease Get:2 http://fr.archive.ubuntu.com/ubuntu xenial-security InRelease [109 kB] Get:3 http://fr.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB] Hit:4 http://nginx.org/packages/mainline/ubuntu xenial InRelease Get:5 http://fr.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB] Hit:6 http://ppa.launchpad.net/jonathonf/vim/ubuntu xenial InRelease Get:7 http://ppa.launchpad.net/ondrej/php-qa/ubuntu xenial InRelease [23.8 kB] Hit:8 https://deb.nodesource.com/node_10.x xenial InRelease Hit:9 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease Get:10 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB] Get:11 http://ppa.launchpad.net/ondrej/php-qa/ubuntu xenial/main amd64 Packages [1,176 B] Get:12 http://ppa.launchpad.net/ondrej/php-qa/ubuntu xenial/main i386 Packages [564 B] Hit:13 http://apt.vestacp.com/xenial xenial InRelease Get:14 http://ppa.launchpad.net/ondrej/php-qa/ubuntu xenial/main Translation-en [628 B] Get:15 http://fr.archive.ubuntu.com/ubuntu xenial-security/universe Translation-en [225 kB] Get:16 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [2,009 kB] Get:17 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [1,508 kB] Get:18 http://fr.archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [356 kB] Fetched 4,466 kB in 2min 0s (37.0 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

apt-cache policy libssl1.1

libssl1.1: Installed: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Candidate: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Version table: *** 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status`

What can I do, please?

[user67x]

I have done all like said in #1 for Ubuntu Xenial:

install your PHP environment as close as to the production as possible
add-apt-repository ppa:ondrej/php-qa
apt update && apt -y dist-upgrade && apt -y dist-upgrade # the last command should downgrade openssl packages
apt-cache policy libssl1.1

But the result is: # apt-cache policy libssl1.1 libssl1.1: Installed: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Candidate: 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 Version table: *** 1.1.1k-1+ubuntu16.04.1+deb.sury.org+0 500 500 http://ppa.launchpad.net/ondrej/php/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status