18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1

Bug #1833039 reported by Benjamin Schneider on 2019-06-17
62
This bug affects 10 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Unassigned
Bionic
High
Andreas Hasenack
Cosmic
High
Andreas Hasenack

Bug Description

[Impact]
Under the following conditions, https connections using client cert authentication will suffer a long delay (about 15s if modreqtimeout is enabled, more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate authentication for that block only, differing from the SSL vhost as a whole

This was triggered by the OpenSSL 1.1.1 SRU and was caused by this openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by default: https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130

[Test Case]

It helps if you have lxd up and running. Otherwise, a VM or even bare metal host also works, as long as you stick to the "ubuntu" hostname.

Launch a container for the release you are testing. The command below is for bionic:
$ lxc launch ubuntu-daily:bionic ubuntu

Enter the container as root:
$ lxc exec ubuntu bash

Verify hostname is "ubuntu":
# hostname
ubuntu

Install apache2:
apt update && apt install apache2

Download the following files from this bug report and place them in /etc/apache2:
cd /etc/apache2
wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key

Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key

Download the client certificate and key files and place them in /root:
cd /root
wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key

Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        LogLevel info ssl:warn
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl
        ErrorLog \${APACHE_LOG_DIR}/error.log
        CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
        SSLEngine on
        SSLCertificateFile /etc/apache2/ubuntu.pem
        SSLCertificateKeyFile /etc/apache2/ubuntu.key
        SSLCACertificateFile /etc/apache2/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        <Location />
                SSLVerifyClient require
                Require ssl-verify-client
        </Location>
    </VirtualHost>
</IfModule>
EOF

Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf

Restart apache2:
systemctl restart apache2

If at this stage you try the following command, it will fail like this because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0

And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?

Now retry, but providing the client certificate and key files, and forcing TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15 seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html

Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid 140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout

That is due to modreqtimeout kicking in.
In the access.log file, we will have the request:
10.0.100.215 - - [01/Jul/2019:14:15:22 +0000] "GET / HTTP/1.1" 200 16544 "-" "curl/7.58.0" protocol=TLSv1.2 commonName=client-auth

The protocol and commonName parts confirm the protocol that was used, and the commonName of the client certificate that was used for authentication.
So it works, but takes a long time for each request. This verifies the bug.

After installing the fixed apache2 packages, the download completes almost instantly:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 333k 0 --:--:-- --:--:-- --:--:-- 333k

The apache access log confirms the protocol and that client certificate authentication was used:
10.0.100.215 - - [01/Jul/2019:14:29:56 +0000] "GET / HTTP/1.1" 200 16525 "-" "curl/7.58.0" protocol=TLSv1.2 commonName=client-auth

And the error log gets no new entries. This verifies the bug is fixed.

[Regression Potential]
This is reverting, in mod_ssl, a settings change that was made in openssl 1.1.1. It's committed upstream in mod_ssl, and I found no other follow-up commits about this.
This being SSL-related, of course it can have surprises and be complicated. The openssl commit even warns that hangs could occur (which happened in this bug here), and it's expected that applications that are affected adjust accordingly.

[Other Info]
The upstream mod_ssl commit that made this change also changed something else in the code, but we decided to not adopt it because it's TLSv1.3 specific, and that version of the protocol is not enabled in the apache builds from bionic or cosmic. TLSv1.3 is deemed complete only in apache 2.4.37 and later (http://www.apache.org/dist/httpd/CHANGES_2.4.37)

[Original Description]
I am using Apache2 with client certificate authentication.
Since recently (last week) and without any configuration changes, the following errors occur frequently:

AH02042: rejecting client initiated renegotiation

Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser.
Before installation of the latest security fixes last week, this error did not occur.

Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689?

System information:

Description: Ubuntu 18.04.2 LTS
Release: 18.04

apache2:
  Installiert: 2.4.29-1ubuntu4.6
  Installationskandidat: 2.4.29-1ubuntu4.6
  Versionstabelle:
 *** 2.4.29-1ubuntu4.6 500
        500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.29-1ubuntu4 500
        500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

openssl:
  Installiert: 1.1.1-1ubuntu2.1~18.04.2
  Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2
  Versionstabelle:
 *** 1.1.1-1ubuntu2.1~18.04.2 500
        500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.0g-2ubuntu4.3 500
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     1.1.0g-2ubuntu4 500
        500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Related branches

Andreas Hasenack (ahasenack) wrote :

Possibly related, yes, specially now that openssl 1.1.1 arrived. If you downgrade to 1.1.0g from bionic-security, does the problem still happen?

Downgrade was not so easy, because apt wanted to remove a heck of a lot of other packages.
In the end I manually unpacked libsssl1.1_1.1.0g-2ubuntu4.3_amd64.deb and copied the files over.
-> The problem was fixed.

So indeed the openssl library 1.1.1 caused these issues.

Thanks for the check Benjamin, adding a task for openssl and assigning xnox who did the upload as he might know best about known/common issues that occurred due to this.

summary: - 18.04/Apache2: rejecting client initiated renegotiation
+ 18.04/Apache2: rejecting client initiated renegotiation due to openssl
+ 1.1.1
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Changed in openssl (Ubuntu):
status: New → Confirmed
Dimitri John Ledkov (xnox) wrote :

@benjamin

I believe disabling TLSv1.3 via openssl.cnf tweak would work too, without downgrading openssl.

Ie. Using something like this https://launchpadlibrarian.net/428208982/cap-to-tls1.2.patch

(Probably without the CipherString line, which will raise security requirements higher than the default)

Dimitri John Ledkov (xnox) wrote :

@ssp297

I believe this is different. renegotiation & client certs do not depend on each other, and can be used together or separately.

Dimitri John Ledkov (xnox) wrote :

I think for this ticket we want:

commit b5872f95b64177212b2e129dcae15d91c46abbc8
Author: Yann Ylavic <email address hidden>
Date: Fri Jun 15 11:12:19 2018 +0000

    mod_ssl: disable check for client initiated renegotiations with TLS 1.3.

    This is already forbidden by the protocol, enforced by OpenSSL, and the
    current logic can't work (ssl_callback_Info() may be called multiple times
    with TLS 1.3).

    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833588 13f79535-47bb-0310-9956-ff
a450edef68

tags: added: regression-update rls-bb-incoming
Tilman Sandig (ssp297) wrote :

@xnox: I think you are right with mod_ssl; I run apache2 2.4.39 (built from sources, the above mentioned mod_ssl-patch is probably included here?) on ubuntu 18.04 and was not aware I had to rebuild it after the ubuntu-update to OpenSSL 1.1.1; after the rebuild everything seems to be fine!
Thanks!

fredbcode (fredbcode) wrote :

apt-get update && apt-get install -y --no-install-recommends --allow-downgrades \
        libssl1.1=1.1.0g-2ubuntu4.3 openssl=1.1.0g-2ubuntu4.3 \

Temporary fix this issue particularly painful in production

Paride Legovini (legovini) wrote :

Thanks for the reports and comments. I setup a PPA with patch pointed out by xnox in comment #7 on bionic's apache2 source package:

  https://launchpad.net/~legovini/+archive/ubuntu/apache2-lp1833039

It would be great to have some feedback on the effectiveness of the patch. Thank you!

J Manzano (jmanzano) wrote :

I've tried it and its not working for me. Do you need some log or something I can try?

Andreas Hasenack (ahasenack) wrote :

I can reproduce this with stock bionic (plus updates applied).

==> /var/log/apache2/error.log <==
[Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240] [client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed

It's a bit complicated to setup, as usual with SSL certificates, but doable.

Let me try the ppa now.

Andreas Hasenack (ahasenack) wrote :

Same thing. Another, or an additional, fix is needed.

Andreas Hasenack (ahasenack) wrote :

This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and the commit pointed out in comment #9 mentions TLSv1.3.

Andreas Hasenack (ahasenack) wrote :

I can try some or all of the patches mentioned in https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2

That bug might be a duplicate, btw. (or this one)

Andreas Hasenack (ahasenack) wrote :

https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the <Location> block instantly returns the document. So it does appear to be ONLY the renegotiation case.
"

That works here too, in my simple test case. I had this location directive:
                <Location />
                        SSLVerifyClient require
                        Require ssl-verify-client
                </Location>

By moving SSLVerifyClient to the vhost level, i.e., the whole site requires it, then re-negotiation isn't triggered and access works without a timeout.

Changed in openssl (Ubuntu):
status: Confirmed → Incomplete
no longer affects: openssl (Ubuntu Bionic)
no longer affects: openssl (Ubuntu Cosmic)
Changed in apache2 (Ubuntu Bionic):
status: New → Confirmed
Changed in apache2 (Ubuntu Cosmic):
status: New → Confirmed
Andreas Hasenack (ahasenack) wrote :

The PPA has cosmic and bionic packages. I tested with the prefork, worked and event MPMs, and also ran the apache DEP8 tests. All passed.

I'll prepare MPs, update this bug with the SRU template and testing instructions, and get ready to release this early next week.

Andreas Amann (awobnsu) wrote :

@ahasenack:

Yes, that ppa (in #19) also solved the problem mentinoned in my linked bugreport
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833896

A big "thank you" to you and all others who helped to solve this problem!!

@Andreas Hasenack:

Many thanks - the patches from your PPA worked.

description: updated
description: updated
Andreas Hasenack (ahasenack) wrote :

fake CA

description: updated
Andreas Hasenack (ahasenack) wrote :

server certificate

Andreas Hasenack (ahasenack) wrote :

server key

Andreas Hasenack (ahasenack) wrote :

client certificate

Andreas Hasenack (ahasenack) wrote :

client key

description: updated
description: updated
description: updated
description: updated
description: updated
Changed in apache2 (Ubuntu Cosmic):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in apache2 (Ubuntu Bionic):
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Changed in apache2 (Ubuntu Cosmic):
importance: Undecided → High
Changed in apache2 (Ubuntu):
importance: Undecided → Critical
status: Confirmed → Fix Released
importance: Critical → High
Changed in apache2 (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu Cosmic):
status: Confirmed → In Progress
Changed in openssl (Ubuntu):
status: Incomplete → Invalid
Paride Legovini (legovini) wrote :

I followed the test steps in the description and I can confirm the fix works as expected. Thanks Andreas for making a complicated setup so easy to test!

Andreas Hasenack (ahasenack) wrote :

Packages uploaded to their respective -proposed queues, it's up to the SRU team now.

Hello Benjamin, or anyone else affected,

Accepted apache2 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apache2 (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in apache2 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Benjamin, or anyone else affected,

Accepted apache2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apache2 (2.4.34-1ubuntu2.2) for cosmic have finished running.
There have been regressions in tests triggered by the package. Please visit the sru report page and investigate the failures.

https://people.canonical.com/~ubuntu-archive/pending-sru.html#cosmic

Andreas Hasenack (ahasenack) wrote :

I'm checking.

Andreas Hasenack (ahasenack) wrote :

There are dozens of cosmic tests still running

All autopkgtests for the newly accepted apache2 (2.4.29-1ubuntu4.7) for bionic have finished running.
There have been regressions in tests triggered by the package. Please visit the sru report page and investigate the failures.

https://people.canonical.com/~ubuntu-archive/pending-sru.html#bionic

I can confirm that the bug was fixed by installing the updated 2.4.29-1ubuntu4.7 package from bionic-proposed. Thank you all for your help.

Petter A. Urkedal (paurkedal) wrote :

apache2.2.4.29-1ubuntu4.7 also fixed the issue for us. Thanks!

no longer affects: openssl (Ubuntu)
Andreas Hasenack (ahasenack) wrote :

bionic verification

Confirming the bug with the distro packages:
# apt-cache policy apache2
apache2:
  Installed: 2.4.29-1ubuntu4.6
  Candidate: 2.4.29-1ubuntu4.6
  Version table:
 *** 2.4.29-1ubuntu4.6 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

index is downloaded, but after a long time:
root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 705 0 0:00:15 0:00:15 --:--:-- 2559
root@ubuntu:~# ll index.html
-rw-r--r-- 1 root root 10918 Jul 5 13:28 index.html

apache error log shows reqtimeout kicking in:
[Fri Jul 05 13:28:20.265457 2019] [reqtimeout:info] [pid 1760:tid 139887202260736] [client 10.0.100.235:34764] AH01382: Request body read timeout

access log confirms the client certificate was used:
10.0.100.235 - - [05/Jul/2019:13:28:04 +0000] "GET / HTTP/1.1" 200 16544 "-" "curl/7.58.0" protocol=TLSv1.2 commonName=client-auth

With the updated package:
 *** 2.4.29-1ubuntu4.7 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

The download is immediate:
root@ubuntu:~# rm index.html
root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 969k 0 --:--:-- --:--:-- --:--:-- 969k
root@ubuntu:~# ll index.html
-rw-r--r-- 1 root root 10918 Jul 5 13:32 index.html

bionic verification succeeded

tags: added: verification-done-bionic
removed: verification-needed-bionic
Andreas Hasenack (ahasenack) wrote :

Cosmic verification
Confirming the bug with the distro packages:
 *** 2.4.34-1ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages

index is downloaded, but after a long delay:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 705 0 0:00:15 0:00:15 --:--:-- 2567

access log confirms the client certificate was used:
10.0.100.50 - - [05/Jul/2019:13:40:32 +0000] "GET / HTTP/1.1" 200 16544 "-" "curl/7.61.0" protocol=TLSv1.2 commonName=client-auth

Updating apache and repeating the download:
 *** 2.4.34-1ubuntu2.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

Now it's fast:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 10918 100 10918 0 0 1332k 0 --:--:-- --:--:-- --:--:-- 1332k

Log confirms client certificate authentication is still being used:
10.0.100.50 - - [05/Jul/2019:13:58:13 +0000] "GET / HTTP/1.1" 200 16525 "-" "curl/7.61.0" protocol=TLSv1.2 commonName=client-auth

The slight difference in downloaded data (16544 vs 16525) is due to less tls keep-alive pings in the success case. The md5 of index.html is identical:
# md5sum index.html*
3526531ccd6c6a1d2340574a305a18f8 index.html
3526531ccd6c6a1d2340574a305a18f8 index.html-before

Cosmic verification succeeded.

tags: added: verification-done-cosmic
removed: verification-needed-cosmic

The verification of the Stable Release Update for apache2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.34-1ubuntu2.2

---------------
apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

 -- Andreas Hasenack <email address hidden> Fri, 28 Jun 2019 17:41:48 -0300

Changed in apache2 (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.7

---------------
apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium

  * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
    authentication when built with openssl 1.1.1 (LP: #1833039)

 -- Andreas Hasenack <email address hidden> Fri, 28 Jun 2019 13:49:35 -0300

Changed in apache2 (Ubuntu Bionic):
status: Fix Committed → Fix Released

This change seems to cause a regression i have reported here:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.