apache ssl auth failed in renegotiation

Bug #1802630 reported by laurentl on 2018-11-10

This bug report will be marked for expiration in 40 days if no further activity occurs. (find out why)

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

since i upgrade to ubuntu cosmic, so from apache2 2.4.29 to 2.4.34 and openssl from 1.1.0 to 1.1.1, my ssl auth failed with the following error:

[Sat Nov 10 09:32:00.442814 2018] [ssl:error] [pid 17784:tid 139825168492288] [client 192.168.0.9:44610] AH02261: Re-negotiation handshake failed
[Sat Nov 10 09:32:00.442877 2018] [ssl:error] [pid 17784:tid 139825168492288] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

my ssl auth config:

    # client ssl authentication
    SSLCACertificateFile /etc/pki/certs/ca.crt
    SSLCARevocationFile /etc/pki/crl/crl.pem
    SSLCARevocationCheck chain
    SSLOCSPEnable on
    <Location "/">
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLRequireSSL

        # client certificate must have the following informations
        Require expr ( \
                (%{SSL_CLIENT_S_DN_O} == "XXX") && \
                (%{SSL_CLIENT_S_DN_OU} == "XXX") \
                )
    </Location>

my certificate are valid and verified with openssl verify and this configuration works well before the upgrade.

ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: apache2 2.4.34-1ubuntu2
ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12
Uname: Linux 4.18.0-10-generic x86_64
Apache2ConfdDirListing: False
Apache2Modules:
 Error: command ['pkexec', '/usr/sbin/apachectl', '-D DUMP_MODULES'] failed with exit code 127: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
 Error executing command as another user: Not authorized

 This incident has been reported.
ApportVersion: 2.20.10-0ubuntu13
Architecture: amd64
Date: Sat Nov 10 10:37:50 2018
SourcePackage: apache2
UpgradeStatus: Upgraded to cosmic on 2018-11-09 (1 days ago)
modified.conffile..etc.apache2.conf-available.security.conf: [modified]
modified.conffile..etc.apache2.mods-available.mpm_event.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [deleted]
modified.conffile..etc.logrotate.d.apache2: [modified]
mtime.conffile..etc.apache2.conf-available.security.conf: 2018-09-25T12:29:03.792447
mtime.conffile..etc.apache2.mods-available.mpm_event.conf: 2018-09-25T12:29:03.884447
mtime.conffile..etc.apache2.ports.conf: 2018-09-30T09:02:08.013554
mtime.conffile..etc.apache2.sites-available.000-default.conf: 2018-10-26T16:34:45.022263
mtime.conffile..etc.logrotate.d.apache2: 2018-09-25T12:29:04.252447

laurentl (laurent-lavaud) wrote :
tags: added: apache2 openssl

Hi Laurent,
It makes no sense to me.
The only related thing I have found was [1] and [2] both with no clear root-cause nor clear next steps.

I have to beg your pardon, but this seems more of a setup issue than a bug (unless the support for something was dropped by accident), maybe you could report the same upstream and/or to the Ubuntu community to get help with the setup.

[1]: http://mail-archives.apache.org/mod_mbox/httpd-users/201809.mbox/%3COF59CFC57D.D513E13D-ONC1258313.001F1D6B-C1258313.00233774@LocalDomain%3E
[2]: https://askubuntu.com/questions/1078247/update-16-04-lts-18-04-lts-tls-process-client-certificatecertificate-verify

Thank you for taking the time to report this bug and helping to make Ubuntu better.
As explained I can't really action on that at the moment.

If you happen to find a solution please report it here for other users to benefit, if the discussions turn our this is a bug please set it back to new and add some pointers.

Changed in apache2 (Ubuntu):
status: New → Incomplete
laurentl (laurent-lavaud) wrote :

Hello,

Thank you for your response.

I really dont think this is a setup problem since my configuration that is pushed with Puppet never change for months before the upgrade to cosmic.

To give you more informations about the setup, i use a Letsencrypt ssl certificate for the vhost and i had a ssl client authentication to access this vhost by using my own PKI.

Here is the full vhost configuration:

<VirtualHost xxx.xxx.xxx.xxx:443>
    ServerAdmin <email address hidden>
    ServerName xxx.fr
    ServerAlias www.xxx.fr

    Header always set Strict-Transport-Security "max-age=15724800"

    Header always set Public-Key-Pins "max-age=7776000; pin-sha256=\"V/l9+ViA7bqzrax3MyXRBjSIye7sXH1ERDVqjfTh7AQ=\"; pin-sha256=\"XYoSDYUn1tbyRUOpOE/6rMCibPqp0NpgBIkNQOFColU=\"; pin-sha256=\"0f3u6+R1mc6c5c4bsaeEkA+qHUIPfiGlo8e/j/kHwNg=\"; pin-sha256=\"InkxmlvZJBDx10AL+4Yfuwr060osJDXvs4Ti8yh2b7s=\""

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/xxx.fr/ecc/live/xxx.fr.fullchain
    SSLCertificateKeyFile /etc/letsencrypt/xxx.fr/ecc/key/xxx.fr.key
    SSLCertificateFile /etc/letsencrypt/xxx.fr/rsa/live/xxx.fr.fullchain
    SSLCertificateKeyFile /etc/letsencrypt/xxx.fr/rsa/key/xxx.fr.key

    SSLCACertificateFile /etc/pki/certs/ca.crt
    SSLCARevocationFile /etc/pki/crl/crl.pem
    SSLCARevocationCheck chain
    SSLOCSPEnable on
    <Location "/">
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLRequireSSL

        Require expr ( \
                (%{SSL_CLIENT_S_DN_O} == "XXX") && \
                (%{SSL_CLIENT_S_DN_OU} == "XXX") \
                )
    </Location>

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:80/
    ProxyPassReverse / http://127.0.0.1:80/

    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Proto "https"

    ProxyAddHeaders Off
    RequestHeader set X-Forwarded-Host "www.xxx.fr"
    RequestHeader set X-Forwarded-Server "www.xxx.fr"
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s

    LogLevel trace8
    CustomLog /var/log/apache2/www.xxx.fr/access.log vhost_combined_time
    ErrorLog /var/log/apache2/www.xxx.fr/error.log
</VirtualHost>

and this the common config i had into conf-enabled:

  SSLInsecureRenegotiation off
  SSLUseStapling on
  SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
  SSLSessionTickets off
  SSLStrictSNIVHostCheck On
  SSLHonorCipherOrder on
  SSLCompression off
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

If you have some hints to help debugging this, because actually i just set LogLevel to 8 but i don't have something interesting...

Changed in apache2 (Ubuntu):
status: Incomplete → New
Karl Stenerud (kstenerud) wrote :

Hi Laurent,

Looking at the logs I see:

[Sat Nov 10 08:16:12.182245 2018] [ssl:error] [pid 46718:tid 139825336280832] [client 14.134.18.222:26999] AH02033: No hostname was provided via SNI for a name based virtual host

This message would only occur if you had SSLStrictSNIVHostCheck set to "on" (it defaults to off). I think there are probably a lot of confounding factors that are making it difficult to track down the root cause. Can you put together a set of steps that re-create the issue in a virtual machine or container?

Changed in apache2 (Ubuntu):
status: New → Incomplete
laurentl (laurent-lavaud) wrote :

Hier,
Thé logs take by the tool are the apache default one, it is not for the vhost i am talking about.
Il will try to setup a config in a container.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers