[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Marc Deslauriers marc.deslauriers at canonical.com
Tue Mar 17 11:02:14 UTC 2020 

Thanks for the test. That does in fact look like the Apache side of
things is now fixed as you are getting the appropriate error message
when the client support is missing, which wasn't happening before.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900

Title:
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  broken

Status in Release Notes for Ubuntu:
  Confirmed
Status in apache2 package in Ubuntu:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Confirmed
Status in requests package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  stopped working. No certificate is requested from client browser and
  apahce log has error:

  [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
  [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
  [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
  [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/

  
  A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
  --- 
  ProblemType: Bug
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 13567) already running
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2010-05-21 (3576 days ago)
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  Package: apache2 2.4.29-1ubuntu4.12
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
  Tags:  bionic
  Uname: Linux 4.15.0-88-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
  UserGroups:
   
  _MarkForUpload: True
  error.log:
   [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
   [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
   [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
  modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
  mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list