[Bug 1872478] Re: Support TLSv1.3 PHA in POST requests with cert authentication

Andreas Hasenack andreas at canonical.com
Mon Apr 13 16:39:36 UTC 2020


** Description changed:

- Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST
- requests using certificate authentication.
+ [Impact]
+ Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST requests using certificate authentication. This is used by freeipa, but any client doing a TLSv1.3 POST with certificate authentication is impacted and would need to downgrade the protocol to TLSv1.2.
  
  This was fixed in debian[1] via patches from upstream[2]. There is an
  upstream bug report[3] requesting the backport of these patches from
  trunk.
  
- Test case:
+ It's also being shipped in Fedora[4] already.
+ 
+ 
+ [Test Case]
  $ lxc launch ubuntu-daily:focal ubuntu
  
  Enter the container as root:
  $ lxc exec ubuntu bash
  
  Verify hostname is "ubuntu":
  # hostname
  ubuntu
  
  Install apache2:
  apt update && apt install apache2
  
  Download the following files from this other bug report and place them in /etc/apache2:
  cd /etc/apache2
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
  
  These certs are luckily still valid until june 2020, so they can be used
  for this bug as well.
  
  Adjust permissions of the key file:
  chmod 0640 /etc/apache2/ubuntu.key
  chgrp www-data /etc/apache2/ubuntu.key
  
  Download the client certificate and key files and place them in /root:
  cd /root
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
  
  Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line):
  cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF
  <IfModule mod_ssl.c>
      <VirtualHost _default_:443>
          LogLevel info ssl:warn
          ServerAdmin webmaster at localhost
          DocumentRoot /var/www/html
          LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl
          ErrorLog \${APACHE_LOG_DIR}/error.log
          CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
          SSLEngine on
          SSLCertificateFile /etc/apache2/ubuntu.pem
          SSLCertificateKeyFile /etc/apache2/ubuntu.key
          SSLCACertificateFile /etc/apache2/cacert.pem
          <FilesMatch "\.(cgi|shtml|phtml|php)$">
                  SSLOptions +StdEnvVars
          </FilesMatch>
          <Directory /usr/lib/cgi-bin>
                  SSLOptions +StdEnvVars
          </Directory>
          <Location />
                  SSLRenegBufferSize 1024
                  SSLVerifyClient require
                  Require ssl-verify-client
          </Location>
      </VirtualHost>
  </IfModule>
  EOF
  
  Enable the ssl module and this new vhost we just created:
  a2enmod ssl && a2ensite cert-auth-test.conf
  
  Restart apache2:
  systemctl restart apache2
  
  Verify that cert authentication is required:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
  
  Verify that a GET request with the client certificate works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 10918  100 10918    0     0   969k      0 --:--:-- --:--:-- --:--:--  969k
  
  Verify that  POST request with the client certificate fails:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   142    0     0  100   142      0  12909 --:--:-- --:--:-- --:--:-- 14200
  curl: (22) The requested URL returned error: 403 Forbidden
  
  Server logs for the above:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 14:49:03.357183 2020] [ssl:error] [pid 12248:tid 139782462109440] [client 10.0.100.38:41002] AH02263: Re-negotiation handshake failed: Client certificate missing
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:49:03 +0000] "POST / HTTP/1.1" 403 3798 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
  With the fixed packages, the POST request works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 11060  100 10918  100   142   101k   1352 --:--:-- --:--:-- --:--:--  102k
  
  And the server log confirms it was a POST request, using certificates, and TLSv1.3:
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:52:26 +0000] "POST / HTTP/1.1" 200 17118 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=client-auth
  
  To test the error message changed by tlsv13-add-logno.diff, submit a slightly bigger POST request:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" -F file=@/bin/ls
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100  139k    0     0  100  139k      0  27.1M --:--:-- --:--:-- --:--:-- 27.1M
  curl: (22) The requested URL returned error: 413 Request Entity Too Large
  
  And in the server log:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 15:00:37.446562 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH02018: request body exceeds maximum size (1024) for SSL buffer
  [Mon Apr 13 15:00:37.446620 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH10228: could not buffer message body to allow TLS Post-Handshake Authentication to proceed
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:15:00:37 +0000] "POST / HTTP/1.1" 413 3721 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
+ 
+ [Regression Potential] 
+ 
+ [Other Info]
+ 
  1. https://bugs.debian.org/955348
  2. https://svn.apache.org/viewvc?view=revision&revision=1870095 and https://svn.apache.org/viewvc?view=revision&revision=1870097
  3. https://bz.apache.org/bugzilla/show_bug.cgi?id=64242
+ 4. https://bugzilla.redhat.com/show_bug.cgi?id=1775146

** Description changed:

  [Impact]
  Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST requests using certificate authentication. This is used by freeipa, but any client doing a TLSv1.3 POST with certificate authentication is impacted and would need to downgrade the protocol to TLSv1.2.
  
  This was fixed in debian[1] via patches from upstream[2]. There is an
  upstream bug report[3] requesting the backport of these patches from
  trunk.
  
  It's also being shipped in Fedora[4] already.
- 
  
  [Test Case]
  $ lxc launch ubuntu-daily:focal ubuntu
  
  Enter the container as root:
  $ lxc exec ubuntu bash
  
  Verify hostname is "ubuntu":
  # hostname
  ubuntu
  
  Install apache2:
  apt update && apt install apache2
  
  Download the following files from this other bug report and place them in /etc/apache2:
  cd /etc/apache2
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
  
  These certs are luckily still valid until june 2020, so they can be used
  for this bug as well.
  
  Adjust permissions of the key file:
  chmod 0640 /etc/apache2/ubuntu.key
  chgrp www-data /etc/apache2/ubuntu.key
  
  Download the client certificate and key files and place them in /root:
  cd /root
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
  
  Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line):
  cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF
  <IfModule mod_ssl.c>
      <VirtualHost _default_:443>
          LogLevel info ssl:warn
          ServerAdmin webmaster at localhost
          DocumentRoot /var/www/html
          LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl
          ErrorLog \${APACHE_LOG_DIR}/error.log
          CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
          SSLEngine on
          SSLCertificateFile /etc/apache2/ubuntu.pem
          SSLCertificateKeyFile /etc/apache2/ubuntu.key
          SSLCACertificateFile /etc/apache2/cacert.pem
          <FilesMatch "\.(cgi|shtml|phtml|php)$">
                  SSLOptions +StdEnvVars
          </FilesMatch>
          <Directory /usr/lib/cgi-bin>
                  SSLOptions +StdEnvVars
          </Directory>
          <Location />
                  SSLRenegBufferSize 1024
                  SSLVerifyClient require
                  Require ssl-verify-client
          </Location>
      </VirtualHost>
  </IfModule>
  EOF
  
  Enable the ssl module and this new vhost we just created:
  a2enmod ssl && a2ensite cert-auth-test.conf
  
  Restart apache2:
  systemctl restart apache2
  
  Verify that cert authentication is required:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
  
  Verify that a GET request with the client certificate works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 10918  100 10918    0     0   969k      0 --:--:-- --:--:-- --:--:--  969k
  
  Verify that  POST request with the client certificate fails:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   142    0     0  100   142      0  12909 --:--:-- --:--:-- --:--:-- 14200
  curl: (22) The requested URL returned error: 403 Forbidden
  
  Server logs for the above:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 14:49:03.357183 2020] [ssl:error] [pid 12248:tid 139782462109440] [client 10.0.100.38:41002] AH02263: Re-negotiation handshake failed: Client certificate missing
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:49:03 +0000] "POST / HTTP/1.1" 403 3798 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
  With the fixed packages, the POST request works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 11060  100 10918  100   142   101k   1352 --:--:-- --:--:-- --:--:--  102k
  
  And the server log confirms it was a POST request, using certificates, and TLSv1.3:
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:52:26 +0000] "POST / HTTP/1.1" 200 17118 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=client-auth
  
  To test the error message changed by tlsv13-add-logno.diff, submit a slightly bigger POST request:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" -F file=@/bin/ls
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100  139k    0     0  100  139k      0  27.1M --:--:-- --:--:-- --:--:-- 27.1M
  curl: (22) The requested URL returned error: 413 Request Entity Too Large
  
  And in the server log:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 15:00:37.446562 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH02018: request body exceeds maximum size (1024) for SSL buffer
  [Mon Apr 13 15:00:37.446620 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH10228: could not buffer message body to allow TLS Post-Handshake Authentication to proceed
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:15:00:37 +0000] "POST / HTTP/1.1" 413 3721 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
- 
- [Regression Potential] 
+ [Regression Potential]
+ TLSv1.3 has introduced changes that generated bugs in the past. The PHA change in particular is still to this day impacting many clients. Clients who claim to support TLSv1.3, negotiate this version of the protocol, but don't implement it fully and lack PHA.
+ Regressions can happen, but we should be able to back this change out in that case. It also gives some comfort knowing that this change is already applied upstream (but not backported to 2.4), and in other distributions (debian and fedora). It's also good that we have a simple test case.
  
  [Other Info]
+ If this can't make it into focal prior to release, it can become an SRU, but the versioning might have to be changed then (i.e., become 2.4.41-4ubuntu2.1 instead of 2.4.41-4ubuntu3).
  
  1. https://bugs.debian.org/955348
  2. https://svn.apache.org/viewvc?view=revision&revision=1870095 and https://svn.apache.org/viewvc?view=revision&revision=1870097
  3. https://bz.apache.org/bugzilla/show_bug.cgi?id=64242
  4. https://bugzilla.redhat.com/show_bug.cgi?id=1775146

** Description changed:

  [Impact]
  Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST requests using certificate authentication. This is used by freeipa, but any client doing a TLSv1.3 POST with certificate authentication is impacted and would need to downgrade the protocol to TLSv1.2.
  
  This was fixed in debian[1] via patches from upstream[2]. There is an
  upstream bug report[3] requesting the backport of these patches from
  trunk.
  
  It's also being shipped in Fedora[4] already.
  
  [Test Case]
  $ lxc launch ubuntu-daily:focal ubuntu
  
  Enter the container as root:
  $ lxc exec ubuntu bash
  
  Verify hostname is "ubuntu":
  # hostname
  ubuntu
  
  Install apache2:
  apt update && apt install apache2
  
  Download the following files from this other bug report and place them in /etc/apache2:
  cd /etc/apache2
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
  
  These certs are luckily still valid until june 2020, so they can be used
  for this bug as well.
  
  Adjust permissions of the key file:
  chmod 0640 /etc/apache2/ubuntu.key
  chgrp www-data /etc/apache2/ubuntu.key
  
  Download the client certificate and key files and place them in /root:
  cd /root
  wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
  
  Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line):
  cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF
  <IfModule mod_ssl.c>
      <VirtualHost _default_:443>
          LogLevel info ssl:warn
          ServerAdmin webmaster at localhost
          DocumentRoot /var/www/html
          LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl
          ErrorLog \${APACHE_LOG_DIR}/error.log
          CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
          SSLEngine on
          SSLCertificateFile /etc/apache2/ubuntu.pem
          SSLCertificateKeyFile /etc/apache2/ubuntu.key
          SSLCACertificateFile /etc/apache2/cacert.pem
          <FilesMatch "\.(cgi|shtml|phtml|php)$">
                  SSLOptions +StdEnvVars
          </FilesMatch>
          <Directory /usr/lib/cgi-bin>
                  SSLOptions +StdEnvVars
          </Directory>
          <Location />
                  SSLRenegBufferSize 1024
                  SSLVerifyClient require
                  Require ssl-verify-client
          </Location>
      </VirtualHost>
  </IfModule>
  EOF
  
  Enable the ssl module and this new vhost we just created:
  a2enmod ssl && a2ensite cert-auth-test.conf
  
  Restart apache2:
  systemctl restart apache2
  
  Verify that cert authentication is required:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
  
  Verify that a GET request with the client certificate works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 10918  100 10918    0     0   969k      0 --:--:-- --:--:-- --:--:--  969k
  
  Verify that  POST request with the client certificate fails:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   142    0     0  100   142      0  12909 --:--:-- --:--:-- --:--:-- 14200
  curl: (22) The requested URL returned error: 403 Forbidden
  
  Server logs for the above:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 14:49:03.357183 2020] [ssl:error] [pid 12248:tid 139782462109440] [client 10.0.100.38:41002] AH02263: Re-negotiation handshake failed: Client certificate missing
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:49:03 +0000] "POST / HTTP/1.1" 403 3798 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
  With the fixed packages, the POST request works:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:"
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 11060  100 10918  100   142   101k   1352 --:--:-- --:--:-- --:--:--  102k
  
  And the server log confirms it was a POST request, using certificates, and TLSv1.3:
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:14:52:26 +0000] "POST / HTTP/1.1" 200 17118 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=client-auth
  
  To test the error message changed by tlsv13-add-logno.diff, submit a slightly bigger POST request:
  root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" -F file=@/bin/ls
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100  139k    0     0  100  139k      0  27.1M --:--:-- --:--:-- --:--:-- 27.1M
  curl: (22) The requested URL returned error: 413 Request Entity Too Large
  
  And in the server log:
  ==> /var/log/apache2/error.log <==
  [Mon Apr 13 15:00:37.446562 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH02018: request body exceeds maximum size (1024) for SSL buffer
  [Mon Apr 13 15:00:37.446620 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH10228: could not buffer message body to allow TLS Post-Handshake Authentication to proceed
  
  ==> /var/log/apache2/access.log <==
  10.0.100.38 - - [13/Apr/2020:15:00:37 +0000] "POST / HTTP/1.1" 413 3721 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=-
  
  [Regression Potential]
  TLSv1.3 has introduced changes that generated bugs in the past. The PHA change in particular is still to this day impacting many clients. Clients who claim to support TLSv1.3, negotiate this version of the protocol, but don't implement it fully and lack PHA.
  Regressions can happen, but we should be able to back this change out in that case. It also gives some comfort knowing that this change is already applied upstream (but not backported to 2.4), and in other distributions (debian and fedora). It's also good that we have a simple test case.
  
  [Other Info]
  If this can't make it into focal prior to release, it can become an SRU, but the versioning might have to be changed then (i.e., become 2.4.41-4ubuntu2.1 instead of 2.4.41-4ubuntu3).
  
- 1. https://bugs.debian.org/955348
+ 1. https://bugs.debian.org/955348 and https://salsa.debian.org/apache-team/apache2/-/commit/86b49fbd189484353d8462f2eb694cd6c9a53342
  2. https://svn.apache.org/viewvc?view=revision&revision=1870095 and https://svn.apache.org/viewvc?view=revision&revision=1870097
  3. https://bz.apache.org/bugzilla/show_bug.cgi?id=64242
  4. https://bugzilla.redhat.com/show_bug.cgi?id=1775146

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1872478

Title:
  Support TLSv1.3 PHA in POST requests with cert authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1872478/+subscriptions



More information about the Ubuntu-server-bugs mailing list