[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken
Vladimir Mencl
1865900 at bugs.launchpad.net
Wed Mar 25 03:42:06 UTC 2020
Hi,
I'm afraid the fix released in 2.4.29-1ubuntu4.13 has introduced a
regression.
We have just updated our servers to 2.4.29-1ubuntu4.13 and configuration
that was working previously suddenly broke.
We are using
SSLVerifyClient optional
inside a Location element.
Our configuration has:
SSLCACertificateFile "/etc/ssl/certs/api-ca.crt"
<Location /api>
SSLVerifyClient optional
RequestHeader set X509_DN "%{SSL_CLIENT_S_DN}s"
</Location>
However, this breaks with:
[Wed Mar 25 16:08:02.648354 2020] [ssl:error] [pid 1801:tid 140236923303680] [client 2404:138:46::126:47888] AH: verify client post handshake
[Wed Mar 25 16:08:02.648403 2020] [ssl:error] [pid 1801:tid 140236923303680] [client 2404:138:46::126:47888] AH10158: cannot perform post-handshake authentication
[Wed Mar 25 16:08:02.648420 2020] [ssl:error] [pid 1801:tid 140236923303680] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
Removing the SSLVerifyClient optional or disabling TLSv1.3 fixes it ...
but both would be deviating from our desired target configuration.
Hope this can be fixed.
Please let me know if you need any further info - or if this should be a standalone bug report.
(So far, as this is a regression caused by the fix discussed here, I thought best to post here.
Cheers,
Vlad
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
Status in Release Notes for Ubuntu:
Confirmed
Status in apache2 package in Ubuntu:
In Progress
Status in python-urllib3 package in Ubuntu:
Confirmed
Status in requests package in Ubuntu:
Confirmed
Bug description:
Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
apache 2.4.29-1ubuntu4.12 authentication with client certificate
stopped working. No certificate is requested from client browser and
apahce log has error:
[Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
[Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/
A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
---
ProblemType: Bug
Apache2ConfdDirListing: False
Apache2Modules:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
httpd (pid 13567) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2010-05-21 (3576 days ago)
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
Package: apache2 2.4.29-1ubuntu4.12
PackageArchitecture: amd64
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
Tags: bionic
Uname: Linux 4.15.0-88-generic x86_64
UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
UserGroups:
_MarkForUpload: True
error.log:
[Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
[Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list