Bug #1803689 “Login with client cert times out” : Bugs : apache2 package : Ubuntu

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-11-20:

#1

Do you have logs of this failure? I wonder if https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1802630 is the same issue

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-11-20:

#2

Just pulling up some commits:

mod_ssl: Correctly merge configurations that have client certificates…
https://github.com/apache/httpd/commit/c4db6aaf8eabc2cc9849900b08ba4ccd2228da12

mod_ssl: We need to get the SSL_CTX for further processing
https://github.com/apache/httpd/commit/5b0b68bdfd5a9ac5def45402723d32c5bd39cd8f

Maybe interesting:

Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication.
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844

Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension.
https://github.com/apache/httpd/commit/557b8d1769dc4a207641d313e20fc3e68fd4705d

The big one, but more about TLSv1.3 than openssl 1.1.1
mod_ssl: add experimental support for TLSv1.3
https://github.com/apache/httpd/commit/d5943f3e6a0fba6aada7cb90ab6a7f42081be308

Revision history for this message

Virsacer (virsacer) wrote on 2018-11-20:

#3

Download full text (8.9 KiB)

When setting LogLevel to debug, I get something:

root@Ubuntu /var/log/apache2 $ tail -fn 0 access.log error.log
==> access.log <==

==> error.log <==
[Tue Nov 20 22:05:03.543044 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2006 GMT / notafter: xxxxxxxxxxxxxxx 2036 GMT]
[Tue Nov 20 22:05:03.543249 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2014 GMT / notafter: xxxxxxxxxxxxxxx 2029 GMT]
[Tue Nov 20 22:05:03.543325 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxx,emailAddress=xxxxxxxxxxxxxxxxxxxxx / issuer: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2017 GMT / notafter: xxxxxxxxxxxxxxx 2020 GMT]
[Tue Nov 20 22:05:03.543663 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x23 -> subcache 3)
[Tue Nov 20 22:05:03.543690 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Nov 20 22:05:03.543694 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1977
[Tue Nov 20 22:05:03.543697 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Nov 20 22:05:03.543705 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:07:03.569091 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.569169 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.571000 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.579805 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denie...

When setting LogLevel to debug, I get something:

root@Ubuntu /var/log/apache2 $  tail -fn 0 access.log error.log
==> access.log <==

==> error.log <==
[Tue Nov 20 22:05:03.543044 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2006 GMT / notafter: xxxxxxxxxxxxxxx 2036 GMT]
[Tue Nov 20 22:05:03.543249 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2014 GMT / notafter: xxxxxxxxxxxxxxx 2029 GMT]
[Tue Nov 20 22:05:03.543325 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxx,emailAddress=xxxxxxxxxxxxxxxxxxxxx / issuer: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2017 GMT / notafter: xxxxxxxxxxxxxxx 2020 GMT]
[Tue Nov 20 22:05:03.543663 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x23 -> subcache 3)
[Tue Nov 20 22:05:03.543690 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Nov 20 22:05:03.543694 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1977
[Tue Nov 20 22:05:03.543697 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Nov 20 22:05:03.543705 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:07:03.569091 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.569169 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.571000 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.579805 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.580154 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.580191 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.580227 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require all granted: granted
[Tue Nov 20 22:07:03.580233 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: granted
[Tue Nov 20 22:07:03.581097 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(757): [client 10.0.2.2:55646] AH02255: Changed client verification type will force renegotiation
[Tue Nov 20 22:07:03.581127 2018] [ssl:info] [pid 3115:tid 139645123802880] [client 10.0.2.2:55646] AH02221: Requesting connection re-negotiation
[Tue Nov 20 22:07:03.581148 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(987): [client 10.0.2.2:55646] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Tue Nov 20 22:07:03.581274 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:07:03.581316 2018] [ssl:info] [pid 3115:tid 139645123802880] [client 10.0.2.2:55646] AH02226: Awaiting re-negotiation handshake
[Tue Nov 20 22:07:03.581803 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2196): [client 10.0.2.2:55646] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Nov 20 22:07:03.581853 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_util_stapling.c(761): AH01951: stapling_cb: OCSP Stapling callback called
[Tue Nov 20 22:07:03.581859 2018] [ssl:info] [pid 3115:tid 139645123802880] AH01926: stapling_get_certinfo: stapling not supported for certificate
[Tue Nov 20 22:07:03.970096 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2006 GMT / notafter: xxxxxxxxxxxxxxx 2036 GMT]
[Tue Nov 20 22:07:03.970260 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2014 GMT / notafter: xxxxxxxxxxxxxxx 2029 GMT]
[Tue Nov 20 22:07:03.970345 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxx,emailAddress=xxxxxxxxxxxxxxxxxxxxx / issuer: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2017 GMT / notafter: xxxxxxxxxxxxxxx 2020 GMT]
[Tue Nov 20 22:07:03.970979 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0xee -> subcache 14)
[Tue Nov 20 22:07:03.971003 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Nov 20 22:07:03.971006 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1977
[Tue Nov 20 22:07:03.971008 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Nov 20 22:07:03.971025 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:09:04.005919 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:09:04.005998 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:09:04.006096 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:09:04.006127 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:09:04.006158 2018] [headers:debug] [pid 3115:tid 139645123802880] mod_headers.c(900): AH01503: headers: ap_headers_error_filter()

==> access.log <==
[20/Nov/2018:22:04:50 +0100] 10.0.2.2 - - "GET / HTTP/1.1" 401 5367 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

==> error.log <==
[Tue Nov 20 22:09:09.012135 2018] [ssl:debug] [pid 3115:tid 139645115410176] ssl_engine_io.c(1103): [client 10.0.2.2:55646] AH02001: Connection closed to child 9 with standard shutdown (server Apache:443)

Dirk Leopold Feiler (dlfworldde) on 2018-11-22

Changed in apache2 (Ubuntu):
status:	New → Confirmed
assignee:	nobody → Dirk Leopold Feiler (dlfworldde)

Revision history for this message

Virsacer (virsacer) wrote on 2018-12-10:

#4

Any chance 2.4.37-1 from buster/sid will be availible in devel/disco soon?

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-12-12:

#5

Apache will be updated soon in disco. As for this specific bug, I need to setup a test scenario.

Revision history for this message

Virsacer (virsacer) wrote on 2019-02-06:

#6

The timeout does not occur with 2.4.38-2ubuntu1

Thank you!

Robie Basak (racb) on 2019-02-07

Changed in apache2 (Ubuntu):
importance:	Undecided → High

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2019-02-11:

#7

So disco is good; but I guess cosmic is still affected, and bionic will be affected soon with the arrival of OpenSSL 1.1.1 there.

Changed in apache2 (Ubuntu Disco):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-06-18:

#8

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu Bionic):
status:	New → Confirmed
Changed in apache2 (Ubuntu Cosmic):
status:	New → Confirmed

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-06-28:

#10

Discussion is happening in bug #1833039, so I'm marking this as a duplicate of that one.

Ubuntu
apache2 package

Login with client cert times out

Bug Description

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
apache2 (Ubuntu)	Fix Released	High	Dirk Leopold Feiler
Bionic	Confirmed	Undecided	Unassigned
Cosmic	Confirmed	Undecided	Unassigned
Disco	Fix Released	High	Dirk Leopold Feiler

Ubuntuapache2 package

Login with client cert times out

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
apache2 package