[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Ken Dreyer (Red Hat) 1865900 at bugs.launchpad.net
Wed Aug 18 16:51:49 UTC 2021 

Focal's curl 7.68.0-1ubuntu2.6 now supports post-handshake client
authentication.

curl \
  --tls-max 1.2 \
  --cacert ~/.koji/pki/koji-ca.crt \
  --cert ~/koji-ansible/koji-tools/admin.crt \
  --key ~/koji-ansible/koji-tools/admin.key \
  https://localhost/kojihub/ssllogin

However, python-requests on Focal or Groovy still cannot do post-
handshake client auth with the default SSLProtocol setting. Sample
Python script:

  import requests

  r = requests.get('https://localhost/kojihub/ssllogin',
                   verify='.koji/pki/koji-ca.crt',
                   cert=('koji-ansible/koji-tools/admin.crt',
                         'koji-ansible/koji-tools/admin.key'))
  r.raise_for_status()

 The Apache error logs say:

  [ssl:error] AH10158: cannot perform post-handshake authentication
  [ssl:error] SSL Library Error: error:14268117:SSL  routines:SSL_verify_client_post_handshake:extension not received

Applying
https://github.com/psf/requests/commit/db47b9b4a0c5877fb97f64ac442757604c4c45cc
or updating to hirsute's python3-requests_2.25.1+dfsg-2 does work.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900

Title:
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  broken

Status in Release Notes for Ubuntu:
  Confirmed
Status in apache2 package in Ubuntu:
  In Progress
Status in python-urllib3 package in Ubuntu:
  Confirmed
Status in requests package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  stopped working. No certificate is requested from client browser and
  apahce log has error:

  [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
  [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
  [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
  [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/

  
  A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
  --- 
  ProblemType: Bug
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 13567) already running
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2010-05-21 (3576 days ago)
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  Package: apache2 2.4.29-1ubuntu4.12
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
  Tags:  bionic
  Uname: Linux 4.15.0-88-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
  UserGroups:
   
  _MarkForUpload: True
  error.log:
   [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
   [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
   [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
  modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
  mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list