Ubuntu 18.04: slow page loads with client cert auth after upgrade to openssl 1.1.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
Medium
|
|||
apache2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
After upgrade to openssl 1.1.1 on Ubuntu 18.04 i encountered slow page loads (>15 sec delay for each GET) when client cert auth is used.
Apache logs show delays like this (LogLevel debug):
[Fri Jun 21 11:36:13.760861 2019] [socache_
[Fri Jun 21 11:36:30.229486 2019] [authz_core:debug] [pid 14032] mod_authz_
This appears to be a problem in apache that has been triggered with Openssl 1.1.1 and was fixed in 2.4.34, see
https:/
The workaround mentioned there worked for me, so after moving the "SSLVerifyClient require" part out of an LocationMatch block into the containing VirtualHost stopped the delays instantly.
Thanks a lot!
Andreas
Ubuntu 18.04
apache2 2.4.29-1ubuntu4.6
openssl 1.1.1-1ubuntu2.
affects: | ubuntu → apache2 (Ubuntu) |
tags: | added: bionic |
Changed in apache2: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Working on a project and need an LTS version of OpenSSL, which is soon to be 1.1.1. Recompiled apache 2.4.34 against it and trying to use client certificates shows a 1 minute delay between the handshake completing and the 0-byte SSL_peek() returning in ssl_engine_ kernel. c:1033 returns.
Working just fine with OpenSSL 1.1.0 or 1.0.2, also appears to work without a delay using the 1.1.1 openssl s_server command.
Minimal configuration file is:
------------ apache2/ modules/ mod_ssl. so apache2/ modules/ mod_mpm_ event.so apache2/ modules/ mod_unixd. so apache2/ modules/ mod_mime. so apache2/ modules/ mod_authz_ core.so
LoadModule ssl_module /usr/lib/
LoadModule mpm_event_module /usr/lib/
LoadModule unixd_module /usr/lib/
LoadModule mime_module /usr/lib/
LoadModule authz_core_module /usr/lib/
SSLPassPhraseDialog "exec:......"
LogLevel trace5 certificates. log
ErrorLog /tmp/client-
ServerName my.test.com
DocumentRoot /var/www
<Location />
SSLVerifyClient require
Require ssl-verify-client
</Location>
Listen 1443 ateKeyFile "/etc/xxxx.key" ateFile "/etc/xxxx.cert" ateChainFile "/etc/xxxx.cert" icateFile "/etc/backendca .cert"
<VirtualHost *:1443>
SSLEngine on
SSLCertific
SSLCertific
SSLCertific
SSLCACertif
</VirtualHost>
------------
The logs from apache itself that shows the delay are:
[Tue Sep 04 18:58:14.886205 2018] [ssl:debug] [pid 2571:tid 140532252661504] ssl_engine_ kernel. c(2082) : [client 172.16.1.101:53414] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA- AES128- GCM-SHA256 (128/128 bits) io.c(2204) : [client 172.16.1.101:53414] OpenSSL: read 0/5 bytes from BIO#7fd014002a10 [mem: 7fd014002d43] (BIO dump follows)
---- delay here ----
[Tue Sep 04 18:59:14.944591 2018] [ssl:trace4] [pid 2571:tid 140532252661504] ssl_engine_
There is no delay before the web browser / client prompts for a certificate to use - just between the ssl re-handshake completing and the peek() returning no bytes.