Login with client cert times out

Bug #1803689 reported by Virsacer on 2018-11-16
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
High
Dirk Leopold Feiler
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
High
Dirk Leopold Feiler

Bug Description

Appartently due to the inclusion of OpenSSL 1.1.1 a login with a client certificate times out.

This is propably fixed in Apache 2.4.37 (already available in sid and buster):

*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]

*) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]

*) ab: Add client certificate support. [Graham Leggett]

*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected. SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.
     [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]

Andreas Hasenack (ahasenack) wrote :

Do you have logs of this failure? I wonder if https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1802630 is the same issue

Andreas Hasenack (ahasenack) wrote :

Just pulling up some commits:

mod_ssl: Correctly merge configurations that have client certificates…
https://github.com/apache/httpd/commit/c4db6aaf8eabc2cc9849900b08ba4ccd2228da12

mod_ssl: We need to get the SSL_CTX for further processing
https://github.com/apache/httpd/commit/5b0b68bdfd5a9ac5def45402723d32c5bd39cd8f

Maybe interesting:

Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication.
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844

Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension.
https://github.com/apache/httpd/commit/557b8d1769dc4a207641d313e20fc3e68fd4705d

The big one, but more about TLSv1.3 than openssl 1.1.1
mod_ssl: add experimental support for TLSv1.3
https://github.com/apache/httpd/commit/d5943f3e6a0fba6aada7cb90ab6a7f42081be308

Virsacer (virsacer) wrote :
Download full text (8.9 KiB)

When setting LogLevel to debug, I get something:

root@Ubuntu /var/log/apache2 $ tail -fn 0 access.log error.log
==> access.log <==

==> error.log <==
[Tue Nov 20 22:05:03.543044 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2006 GMT / notafter: xxxxxxxxxxxxxxx 2036 GMT]
[Tue Nov 20 22:05:03.543249 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / issuer: CN=xxxxxxxxxxxxxx CA - G2,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2014 GMT / notafter: xxxxxxxxxxxxxxx 2029 GMT]
[Tue Nov 20 22:05:03.543325 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(1584): [client 10.0.2.2:55646] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=xxxxxxxxxxxxxxxx,emailAddress=xxxxxxxxxxxxxxxxxxxxx / issuer: CN=xxxxxxxxxxxxxxxxxxxxxxx CA 2014 - G22,O=xxxxxxxxxxxx,C=CH / serial: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / notbefore: xxxxxxxxxxxxxxx 2017 GMT / notafter: xxxxxxxxxxxxxxx 2020 GMT]
[Tue Nov 20 22:05:03.543663 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x23 -> subcache 3)
[Tue Nov 20 22:05:03.543690 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Nov 20 22:05:03.543694 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1977
[Tue Nov 20 22:05:03.543697 2018] [socache_shmcb:debug] [pid 3115:tid 139645123802880] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Nov 20 22:05:03.543705 2018] [ssl:debug] [pid 3115:tid 139645123802880] ssl_engine_kernel.c(2069): [client 10.0.2.2:55646] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Nov 20 22:07:03.569091 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.569169 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 20 22:07:03.571000 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 20 22:07:03.579805 2018] [authz_core:debug] [pid 3115:tid 139645123802880] mod_authz_core.c(820): [client 10.0.2.2:55646] AH01626: authorization result of <RequireAny>: denie...

Read more...

Changed in apache2 (Ubuntu):
status: New → Confirmed
assignee: nobody → Dirk Leopold Feiler (dlfworldde)
Virsacer (virsacer) wrote :

Any chance 2.4.37-1 from buster/sid will be availible in devel/disco soon?

Andreas Hasenack (ahasenack) wrote :

Apache will be updated soon in disco. As for this specific bug, I need to setup a test scenario.

Virsacer (virsacer) wrote :

The timeout does not occur with 2.4.38-2ubuntu1

Thank you!

Robie Basak (racb) on 2019-02-07
Changed in apache2 (Ubuntu):
importance: Undecided → High
Dimitri John Ledkov (xnox) wrote :

So disco is good; but I guess cosmic is still affected, and bionic will be affected soon with the arrival of OpenSSL 1.1.1 there.

Changed in apache2 (Ubuntu Disco):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers