Login with client cert times out

Bug #1803689 reported by Virsacer on 2018-11-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Dirk Leopold Feiler

Bug Description

Appartently due to the inclusion of OpenSSL 1.1.1 a login with a client certificate times out.

This is propably fixed in Apache 2.4.37 (already available in sid and buster):

*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]

*) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]

*) ab: Add client certificate support. [Graham Leggett]

*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected. SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.
     [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]

Andreas Hasenack (ahasenack) wrote :

Do you have logs of this failure? I wonder if https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1802630 is the same issue

Andreas Hasenack (ahasenack) wrote :

Just pulling up some commits:

mod_ssl: Correctly merge configurations that have client certificates…
https://github.com/apache/httpd/commit/c4db6aaf8eabc2cc9849900b08ba4ccd2228da12

mod_ssl: We need to get the SSL_CTX for further processing
https://github.com/apache/httpd/commit/5b0b68bdfd5a9ac5def45402723d32c5bd39cd8f

Maybe interesting:

Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication.
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844

Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension.
https://github.com/apache/httpd/commit/557b8d1769dc4a207641d313e20fc3e68fd4705d

The big one, but more about TLSv1.3 than openssl 1.1.1
mod_ssl: add experimental support for TLSv1.3
https://github.com/apache/httpd/commit/d5943f3e6a0fba6aada7cb90ab6a7f42081be308

Virsacer (virsacer) wrote :
Download full text (8.9 KiB)

When setting LogLevel to debug, I get something:

root@Ubuntu /var/log/apache2 $ tail -fn 0 access.log error.log
==> access.log <==

==> error.log <==
[Tue Nov 20 22:05:03.543044 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2006 GMT / notafter: xxxxxxxxxxxxxxx 2036 GMT]
[Tue Nov 20 22:05:03.543249 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2014 GMT / notafter: xxxxxxxxxxxxxxx 2029 GMT]
[Tue Nov 20 22:05:03.543325 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxx,emailAddress=xxxxxxxxxxxxxxxxxxxxx / issuer: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2017 GMT / notafter: xxxxxxxxxxxxxxx 2020 GMT]
[Tue Nov 20 22:05:03.543663 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x23 -> subcache 3)
[Tue Nov 20 22:05:03.543690 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Nov 20 22:05:03.543694 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1977
[Tue Nov 20 22:05:03.543697 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Nov 20 22:05:03.543705 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:07:03.569091 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.569169 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.571000 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.579805 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denie...

Read more...

Changed in apache2 (Ubuntu):
status: New → Confirmed
assignee: nobody → Dirk Leopold Feiler (dlfworldde)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers