[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Vladimir Mencl 1865900 at bugs.launchpad.net
Wed Mar 25 03:50:38 UTC 2020 

Hi,

Just clarifying on the previous comment.  From the release notes I've seen in the bionic package, I understand this fix does:
>     - debian/patches/tlsv1.3-support-3.patch: fail with 403 if
>      SSL_verify_client_post_handshake fails in
>      modules/ssl/ssl_engine_kernel.c.

However, when authentication is optional (SSLVerifyClient optional) and
no client authentication is provided, it MUST NOT count as a failure and
request processing should continue...

Cheers,
Vlad

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900

Title:
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  broken

Status in Release Notes for Ubuntu:
  Confirmed
Status in apache2 package in Ubuntu:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Confirmed
Status in requests package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  stopped working. No certificate is requested from client browser and
  apahce log has error:

  [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
  [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
  [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
  [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/

  
  A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
  --- 
  ProblemType: Bug
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 13567) already running
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2010-05-21 (3576 days ago)
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  Package: apache2 2.4.29-1ubuntu4.12
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
  Tags:  bionic
  Uname: Linux 4.15.0-88-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
  UserGroups:
   
  _MarkForUpload: True
  error.log:
   [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
   [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
   [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
  modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
  mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list