Comment 31 for bug 1865900

Revision history for this message
Vladimir Mencl (vladimir-mencl) wrote :

Hi Marc,

Thanks for getting back to me.

I've been testing this with `wget` and `curl`. And it worked before 2.4.29-1ubuntu4.13 (with 2.4.29-1ubuntu4.12), even with TLSv1.3.

Note that this particular use case, I actually don't need (or want) the clients to authenticate.

I just want the server to *offer* authentication when accessing a particular URL (/api) - with "SSLVerifyClient optional".

Some API calls are authenticated, some unauthenticated. The web application behind Apache would check whether authentication is provided based on the actual call invoked.

And the clients that are breaking now are clients that would just call unauthenticated APIs and would not authenticate.

So as per my earlier post, this is an omission in the patch applied from upstream (tlsv1.3-support-3.patch) - which fails with HTTP_FORBIDDEN when authentication is not provided, forgetting to check if it was optional.

I hope I've now explained properly what I mean by the regression - please let me know if this needs any further clarification.

I have checked upstream SVN history and there is no subsequent change to ssl_engine_kernel.c that would be fixing this - not even in trunk.

So at this point, there are no further fixes to backport and this needs to be fixed upstream.

I hope my report upstream - - will get this sorted.