Release Notes for Ubuntu

  1. Bug #1865900
  2. Comment #24

Comment 24 for bug 1865900

Revision history for this message
Riho Kalbus (rihokalbus) wrote : Re: [Bug 1865900] Re: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken

Hello,

tested. Issue was not solved, but got relevant error message: "You don't
have permission to access this resource.Reason: Cannot perform
Post-Handshake Authentication."

ii apache2 2.4.29-1ubuntu4.13
                   amd64 Apache HTTP Server
ii apache2-bin 2.4.29-1ubuntu4.13
                   amd64 Apache HTTP Server (modules and other
binary files)
ii apache2-data 2.4.29-1ubuntu4.13
                   all Apache HTTP Server (common files)
ii apache2-utils 2.4.29-1ubuntu4.13
                   amd64 Apache HTTP Server (utility programs for
web servers)
ii libapache2-mod-wsgi-py3 4.5.17-1ubuntu1
                  amd64 Python 3 WSGI adapter module for Apache
ii libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.5
                   amd64 Secure Sockets Layer toolkit - shared
libraries

[Tue Mar 17 09:44:14.919351 2020] [mpm_worker:notice] [pid 5259:tid
140138557897664] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1
mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Tue Mar 17 09:44:14.919385 2020] [core:notice] [pid 5259:tid
140138557897664] AH00094: Command line: '/usr/sbin/apache2'
[Tue Mar 17 09:45:49.236283 2020] [ssl:error] [pid 5704:tid
140138323629824] [client 80.235.25.20:15540] AH: verify client post
handshake, referer: https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 17 09:45:49.236315 2020] [ssl:error] [pid 5704:tid
140138323629824] [client 80.235.25.20:15540] AH10158: cannot perform
post-handshake authentication, referer:
https://devel.liisi.ee:8950/accounts/login/
[Tue Mar 17 09:45:49.236336 2020] [ssl:error] [pid 5704:tid
140138323629824] SSL Library Error: error:14268117:SSL
routines:SSL_verify_client_post_handshake:extension not received

Kontakt Marc Deslauriers (<email address hidden>) kirjutas
kuupäeval E, 16. märts 2020 kell 15:15:

> I have uploaded an apache2 package to the security team PPA for testing
> here:
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
>
> It includes a few fixes related to TLSv1.3.
>
> Could environment having this issue please test that package and see if
> it solves the issue?
>
> Thanks!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1865900
>
> Title:
> apache 2.4.29-1ubuntu4.12 authentication with client certificate
> broken
>
> Status in apache2 package in Ubuntu:
> New
>
> Bug description:
> Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
> apache 2.4.29-1ubuntu4.12 authentication with client certificate
> stopped working. No certificate is requested from client browser and
> apahce log has error:
>
> [Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid
> 139853354215168] ssl_engine_kernel.c(2217): AH02041: Protocol: TLSv1.3,
> Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
> [Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid
> 139853481088768] ssl_engine_io.c(1106): AH02001: Connection closed to child
> 1 with standard shutdown
> [Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid
> 139853481088768] ssl_engine_kernel.c(383): AH02034: Initial (No.1) HTTPS
> request received for child 65 (server devel.liisi.ee:443), referer:
> https://devel.liisi.ee:8950/accounts/login/
> [Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid
> 139853481088768] AH: verify client post handshake, referer:
> https://devel.liisi.ee:8950/accounts/login/
>
>
> A temporary workaround is to disable the whole TLSv1.3 protocol in the
> vhost configuration.
> ---
> ProblemType: Bug
> Apache2ConfdDirListing: False
> Apache2Modules:
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 172.20.4.138. Set the 'ServerName' directive
> globally to suppress this message
> httpd (pid 13567) already running
> ApportVersion: 2.20.9-0ubuntu7.11
> Architecture: amd64
> DistroRelease: Ubuntu 18.04
> InstallationDate: Installed on 2010-05-21 (3576 days ago)
> InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64
> (20100427)
> Package: apache2 2.4.29-1ubuntu4.12
> PackageArchitecture: amd64
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
> Tags: bionic
> Uname: Linux 4.15.0-88-generic x86_64
> UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
> UserGroups:
>
> _MarkForUpload: True
> error.log:
> [Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid
> 140475868056512] AH01909: klient.liisi.ee:443:0 server certificate does
> NOT include an ID which matches the server name
> [Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid
> 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1
> mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
> [Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid
> 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
> modified.conffile..etc.apache2.mods-available.reqtimeout.conf: [modified]
> modified.conffile..etc.apache2.ports.conf: [modified]
> modified.conffile..etc.apache2.sites-available.000-default.conf:
> [modified]
> mtime.conffile..etc.apache2.mods-available.reqtimeout.conf:
> 2020-03-03T16:33:43.294515
> mtime.conffile..etc.apache2.ports.conf: 2014-10-22T16:31:31.217125
> mtime.conffile..etc.apache2.sites-available.000-default.conf:
> 2019-10-16T13:29:08.811073
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865900/+subscriptions
>