Apache2 2.4.41 Causes TLSv1.3 Errors and Disconnects

Bug #1848577 reported by Daniel Doubet on 2019-10-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

System: Ubuntu 18.04.3 LTS
ppa:ondrej/apache2 NOT default Ubuntu source.

I am using apache2 as a reverse proxy for the diaspora social network. It appears to only affect this site, and none of the other sites (Mastodon, Peertube, Wordpress, YOURLS, and Friendica to name a few).

On version 2.4.38, I can connect to sites using TLSv1.3 from Firefox and Chrome. If you were to use `curl -v https://diaspora.my.domain` you would receive output like:
```
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
```
And after updating to 2.4.41:
```
user@comp:~$ curl -v https://diaspora.my.domain
* Rebuilt URL to: https://diaspora.my.domain/
* Trying pub.lic.ip.adr...
* TCP_NODELAY set
* Connected to diaspora.my.domain (pub.lic.ip.adr) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=diaspora.my.domain
* start date: Sep 3 19:43:07 2019 GMT
* expire date: Dec 2 19:43:07 2019 GMT
* subjectAltName: host "diaspora.my.domain" matched cert's "diaspora.my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55df26b776b0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: diaspora.my.domain
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
```

Behaviour:
The website will load from cache, then never load. If no cache is used, the website never loads and eventually you get a server is not responding.

affects: php-console-table (Ubuntu) → apache2 (Ubuntu)

Hi Daniel,
thanks for the report.

Such things always smell a bit like "intentionally done for security reasons", but then complexity sometimes is so high that one doesn't directly see what is going on and why. I didn't see anything suspicious in your logs, but the fact that it works for the other sites you listed makes me expect a subtle configuration difference.

I subscribed ubuntu-security if this behavior is in any way known or expected to let us know about it.

Since "ppa:ondrej/apache2" isn't really supported, you with your existing setup quickly check if the official 2.4.41-1ubuntu1 in Ubuntu 19.10 is affected as well?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers