REMOTE_USER environmental variable not set for TLSv1.3 connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
The recent backport of TLSv1.3 code to Ubuntu 18.04's version of apache2 breaks wsgi scripts that use client certificate authentication because the REMOTE_USER environmental variable is not being set for a TLSv1.3 connection. I tracked down the cause and it is because this upstream patch has not been included: https:/
Running Ubuntu 18.04.4 LTS
The bug was introduced in apache2-
The affected source file is : httpd-2.
What you expected to happen: When a wsgi script is called, using client certificate authentication, and a TLSv1.3 connection is negotiated, the environmental variable REMOTE_USER should be set to the client certificate's CN. (SSLUserName SSL_CLIENT_S_DN_CN is set in the apache config file)
What happened instead: The REMOTE_USER environmental variable doesn't exist unless I restrict the connection to TLSv1.2.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apache2 2.4.29-1ubuntu4.12
ProcVersionSign
Uname: Linux 4.15.0-88-generic x86_64
Apache2ConfdDir
Apache2Modules:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
httpd (pid 19397) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
Date: Thu Mar 12 23:09:34 2020
InstallationDate: Installed on 2020-03-04 (8 days ago)
InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
[Thu Mar 12 06:25:02.361354 2020] [ssl:warn] [pid 19397] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Mar 12 06:25:02.361788 2020] [mpm_prefork:
[Thu Mar 12 06:25:02.361812 2020] [core:notice] [pid 19397] AH00094: Command line: '/usr/sbin/apache2'
modified.
mtime.conffile.
tags: | added: regression-update |
tags: | added: bitesize |
tags: | added: bionic-openssl-1.1 |
This isn't exactly the same but related to bug 1865900 and bug 1834671.
Overall triggered by bug 1845263 adding TLSv1.3
@Marc you did the former upload and since it is an update regression and would need push to -security I'd wanted to ask if you'd evaluate the patch above if you agree that it would alleviate some of the issues we see - at least this one here but maybe even a few that formerly thought they have bug 1865900 / bug 1834671.
For now setting to confirmed assigning to you for considering the linked change.