I have now done more extensive testing (incl. rebuilding apache2-2.4.29-1ubuntu4.12 from source).
I now understand that for essentially all HTTPS clients,
it is necessary to update SSL API calls to support TLSv1.3
post-handshake authentication.
And I have also checked with a version of curl built right off the
top of the github repo (7.70.0-DEV) - as an example of a client
capable of post-handshake authentication.
With this version of curl, both apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13 work over TLSv1.3 for both authenticated and unauthenticated API.
But older clients (not capable of post-handshake authentication), including curl included with Ubuntu 18.04 (7.58.0) do not work with the authenticated API with neither apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13.
The only edge-case is my use case of unauthenticated API - that used to work with the older clients (not capable of post-handshake authentication) on apache2-2.4.29-1ubuntu4.12, but breaks with apache2-2.4.29-1ubuntu4.13 (for the older clients only).
I'll add these findings to my upstream report.
I agree the main point is updating all clients to support TLSv1.3 properly, including post-handshake authentication - the question is whether to let older clients get by when authentication is not required.
Hi Marc,
Thanks for the reply!
I have now done more extensive testing (incl. rebuilding apache2- 2.4.29- 1ubuntu4. 12 from source).
I now understand that for essentially all HTTPS clients,
it is necessary to update SSL API calls to support TLSv1.3
post-handshake authentication.
And I have also checked with a version of curl built right off the
top of the github repo (7.70.0-DEV) - as an example of a client
capable of post-handshake authentication.
With this version of curl, both apache2- 2.4.29- 1ubuntu4. 12 and apache2- 2.4.29- 1ubuntu4. 13 work over TLSv1.3 for both authenticated and unauthenticated API.
But older clients (not capable of post-handshake authentication), including curl included with Ubuntu 18.04 (7.58.0) do not work with the authenticated API with neither apache2- 2.4.29- 1ubuntu4. 12 and apache2- 2.4.29- 1ubuntu4. 13.
The only edge-case is my use case of unauthenticated API - that used to work with the older clients (not capable of post-handshake authentication) on apache2- 2.4.29- 1ubuntu4. 12, but breaks with apache2- 2.4.29- 1ubuntu4. 13 (for the older clients only).
I'll add these findings to my upstream report.
I agree the main point is updating all clients to support TLSv1.3 properly, including post-handshake authentication - the question is whether to let older clients get by when authentication is not required.
Let's see what I get upstream.
Cheers,
Vlad