[Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken
Christian Ehrhardt
1865900 at bugs.launchpad.net
Wed Mar 9 17:05:40 UTC 2022
I came by this bug and tried to update the states to better reflect the
situation.
We still have the case that for Focal there was a regression due to
updates. But also the problem that it is hard to see if we want to
revert (no as it was security improvements) or how we could fix (is it
actually feature add to become compatible) things.
The update to the states show that for new releases e.g. Jammy all the
fixes are in and in addition being a new releases it is kind of allowed
to do new things differently.
But at the same time that means there might be fixes existing by now
that make the other components compatible to the new behavior - if those
could be backported that would mitigate the issue. But OTOH as we know
backporting features usually isn't done in SRUs.
That evaluation will need time - Marc was assigned to this before for a
revisit, and I have kept this assignment in my update.
** Tags removed: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
Status in Release Notes for Ubuntu:
Confirmed
Status in apache2 package in Ubuntu:
Fix Released
Status in python-urllib3 package in Ubuntu:
Fix Released
Status in requests package in Ubuntu:
Fix Released
Status in apache2 source package in Focal:
New
Status in python-urllib3 source package in Focal:
New
Status in requests source package in Focal:
New
Status in apache2 source package in Jammy:
Fix Released
Status in python-urllib3 source package in Jammy:
Fix Released
Status in requests source package in Jammy:
Fix Released
Bug description:
Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
apache 2.4.29-1ubuntu4.12 authentication with client certificate
stopped working. No certificate is requested from client browser and
apahce log has error:
[Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child 1 with standard shutdown
[Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS request received for child 65 (server devel.liisi.ee:443), referer: https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https://devel.liisi.ee:8950/accounts/login/
A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
---
ProblemType: Bug
Apache2ConfdDirListing: False
Apache2Modules:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
httpd (pid 13567) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2010-05-21 (3576 days ago)
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
Package: apache2 2.4.29-1ubuntu4.12
PackageArchitecture: amd64
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
Tags: bionic
Uname: Linux 4.15.0-88-generic x86_64
UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
UserGroups:
_MarkForUpload: True
error.log:
[Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does NOT include an ID which matches the server name
[Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
mtime.conffile..etc.apache2.mods-available.reqtimeout.conf: 2020-03-03T16:33:43.294515
mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
mtime.conffile..etc.apache2.sites-available.000-default.conf: 2019-10-16T13:29:08.811073
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list