Comment 33 for bug 1865900

Revision history for this message
Vladimir Mencl (vladimir-mencl) wrote :

Hi Marc,

Thanks for the reply!

I have now done more extensive testing (incl. rebuilding apache2-2.4.29-1ubuntu4.12 from source).

I now understand that for essentially all HTTPS clients,
it is necessary to update SSL API calls to support TLSv1.3
post-handshake authentication.

And I have also checked with a version of curl built right off the
top of the github repo (7.70.0-DEV) - as an example of a client
capable of post-handshake authentication.

With this version of curl, both apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13 work over TLSv1.3 for both authenticated and unauthenticated API.

But older clients (not capable of post-handshake authentication), including curl included with Ubuntu 18.04 (7.58.0) do not work with the authenticated API with neither apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13.

The only edge-case is my use case of unauthenticated API - that used to work with the older clients (not capable of post-handshake authentication) on apache2-2.4.29-1ubuntu4.12, but breaks with apache2-2.4.29-1ubuntu4.13 (for the older clients only).

I'll add these findings to my upstream report.

I agree the main point is updating all clients to support TLSv1.3 properly, including post-handshake authentication - the question is whether to let older clients get by when authentication is not required.

Let's see what I get upstream.