[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Christian Ehrhardt  1865900 at bugs.launchpad.net
Wed Mar 9 17:05:40 UTC 2022 

I came by this bug and tried to update the states to better reflect the
situation.

We still have the case that for Focal there was a regression due to
updates. But also the problem that it is hard to see if we want to
revert (no as it was security improvements) or how we could fix (is it
actually feature add to become compatible) things.

The update to the states show that for new releases e.g. Jammy all the
fixes are in and in addition being a new releases it is kind of allowed
to do new things differently.

But at the same time that means there might be fixes existing by now
that make the other components compatible to the new behavior - if those
could be backported that would mitigate the issue. But OTOH as we know
backporting features usually isn't done in SRUs.

That evaluation will need time - Marc was assigned to this before for a
revisit, and I have kept this assignment in my update.

** Tags removed: server-triage-discuss

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900

Title:
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  broken

Status in Release Notes for Ubuntu:
  Confirmed
Status in apache2 package in Ubuntu:
  Fix Released
Status in python-urllib3 package in Ubuntu:
  Fix Released
Status in requests package in Ubuntu:
  Fix Released
Status in apache2 source package in Focal:
  New
Status in python-urllib3 source package in Focal:
  New
Status in requests source package in Focal:
  New
Status in apache2 source package in Jammy:
  Fix Released
Status in python-urllib3 source package in Jammy:
  Fix Released
Status in requests source package in Jammy:
  Fix Released

Bug description:
  Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
  apache 2.4.29-1ubuntu4.12 authentication with client certificate
  stopped working. No certificate is requested from client browser and
  apahce log has error:

  [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
  [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
  [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
  [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/

  
  A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
  --- 
  ProblemType: Bug
  Apache2ConfdDirListing: False
  Apache2Modules:
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
   httpd (pid 13567) already running
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2010-05-21 (3576 days ago)
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
  Package: apache2 2.4.29-1ubuntu4.12
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
  Tags:  bionic
  Uname: Linux 4.15.0-88-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
  UserGroups:
   
  _MarkForUpload: True
  error.log:
   [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
   [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
   [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
  modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
  mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list