[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Riho Kalbus rihokalbus at gmail.com
Tue Mar 17 07:48:07 UTC 2020 

Hello,

tested. Issue was not solved, but got relevant error message: "You don't
have permission to access this resource.Reason: Cannot perform
Post-Handshake Authentication."

ii  apache2                                   2.4.29-1ubuntu4.13
                   amd64        Apache HTTP Server
ii  apache2-bin                               2.4.29-1ubuntu4.13
                   amd64        Apache HTTP Server (modules and other
binary files)
ii  apache2-data                              2.4.29-1ubuntu4.13
                   all          Apache HTTP Server (common files)
ii  apache2-utils                             2.4.29-1ubuntu4.13
                   amd64        Apache HTTP Server (utility programs for
web servers)
ii  libapache2-mod-wsgi-py3                   4.5.17-1ubuntu1
                  amd64        Python 3 WSGI adapter module for Apache
ii  libssl1.1:amd64                           1.1.1-1ubuntu2.1~18.04.5
                   amd64        Secure Sockets Layer toolkit - shared
libraries

[Tue Mar 17 09:44:14.919351 2020] [mpm_worker:notice] [pid 5259:tid
140138557897664] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1
mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Tue Mar 17 09:44:14.919385 2020] [core:notice] [pid 5259:tid
140138557897664] AH00094: Command line: '/usr/sbin/apache2'
[Tue Mar 17 09:45:49.236283 2020] [ssl:error] [pid 5704:tid
140138323629824] [client 80.235.25.20:15540] AH: verify client post
handshake, referer: https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 17 09:45:49.236315 2020] [ssl:error] [pid 5704:tid
140138323629824] [client 80.235.25.20:15540] AH10158: cannot perform
post-handshake authentication, referer:
https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 17 09:45:49.236336 2020] [ssl:error] [pid 5704:tid
140138323629824] SSL Library Error: error:14268117:SSL
routines:SSL_verify_client_post_handshake:extension not received


Kontakt Marc Deslauriers (<marc.deslauriers at canonical.com>) kirjutas
kuupäeval E, 16. märts 2020 kell 15:15:

> I have uploaded an apache2 package to the security team PPA for testing
> here:
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
>
> It includes a few fixes related to TLSv1.3.
>
> Could environment having this issue please test that package and see if
> it solves the issue?
>
> Thanks!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1865900
>
> Title:
>   apache 2.4.29-1ubuntu4.12 authentication with client certificate
>   broken
>
> Status in apache2 package in Ubuntu:
>   New
>
> Bug description:
>   Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
>   apache 2.4.29-1ubuntu4.12 authentication with client certificate
>   stopped working. No certificate is requested from client browser and
>   apahce log has error:
>
>   [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid
> 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3,
> Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
>   [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid
> 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child
> 1 with standard shutdown
>   [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid
> 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS
> request received for child 65 (server devel.liisi.ee:443), referer:
> https://devel.liisi.ee:8950/accounts/login/
>   [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid
> 139853481088768] AH: verify client post handshake, referer:
> https://devel.liisi.ee:8950/accounts/login/
>
>
>   A temporary workaround is to disable the whole TLSv1.3 protocol in the
> vhost configuration.
>   ---
>   ProblemType: Bug
>   Apache2ConfdDirListing: False
>   Apache2Modules:
>    AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 172.20.4.138. Set the 'ServerName' directive
> globally to suppress this message
>    httpd (pid 13567) already running
>   ApportVersion: 2.20.9-0ubuntu7.11
>   Architecture: amd64
>   DistroRelease: Ubuntu 18.04
>   InstallationDate: Installed on 2010-05-21 (3576 days ago)
>   InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64
> (20100427)
>   Package: apache2 2.4.29-1ubuntu4.12
>   PackageArchitecture: amd64
>   ProcEnviron:
>    TERM=xterm-256color
>    PATH=(custom, no user)
>    XDG_RUNTIME_DIR=<set>
>    LANG=en_US.UTF-8
>    SHELL=/bin/bash
>   ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
>   Tags:  bionic
>   Uname: Linux 4.15.0-88-generic x86_64
>   UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
>   UserGroups:
>
>   _MarkForUpload: True
>   error.log:
>    [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid
> 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does
> NOT include an ID which matches the server name
>    [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid
> 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1
> mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
>    [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid
> 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
>   modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
>   modified.conffile..etc.apache2.ports.conf: [modified]
>   modified.conffile..etc.apache2.sites-available.000-default.conf:
> [modified]
>   mtime.conffile..etc.apache2.mods-available.reqtimeout.conf:
> 2020-03-03T16:33:43.294515
>   mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
>   mtime.conffile..etc.apache2.sites-available.000-default.conf:
> 2019-10-16T13:29:08.811073
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865900/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900

Title:
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  broken

Status in Release Notes for Ubuntu:
  Confirmed
Status in apache2 package in Ubuntu:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Confirmed
Status in requests package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  stopped working. No certificate is requested from client browser and
  apahce log has error:

  [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
  [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
  [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
  [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/

  
  A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
  --- 
  ProblemType: Bug
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 13567) already running
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2010-05-21 (3576 days ago)
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  Package: apache2 2.4.29-1ubuntu4.12
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
  Tags:  bionic
  Uname: Linux 4.15.0-88-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
  UserGroups:
   
  _MarkForUpload: True
  error.log:
   [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
   [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
   [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
  modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
  mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list