TLSv1.3 client certificate authentication with renegotiation unsupported in browsers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Ubuntu) |
Fix Released
|
Undecided
|
Olivier Tilloy | ||
Bionic |
Fix Released
|
Undecided
|
Olivier Tilloy | ||
Disco |
Fix Released
|
Undecided
|
Olivier Tilloy | ||
Eoan |
Fix Released
|
Undecided
|
Olivier Tilloy |
Bug Description
This is mostly a place holder bug, as more information becomes available.
What is known so far is that a certain configuration of client certificate authentication using TLSv1.3 is not working with most (all at this point?) browsers, resulting in the server returning this error message:
Forbidden
You don't have permission to access / on this server.
Reason: Cannot perform Post-Handshake Authentication.
Apache/2.4.38 (Ubuntu) Server at disco-apache-
It also logs it to error.log:
[Fri Jun 28 16:59:24.596425 2019] [ssl:error] [pid 1391:tid 139642783385344] [client 10.0.100.1:41452] AH10129: verify client post handshake
[Fri Jun 28 16:59:24.596493 2019] [ssl:error] [pid 1391:tid 139642783385344] [client 10.0.100.1:41452] AH10158: cannot perform post-handshake authentication
[Fri Jun 28 16:59:24.596513 2019] [ssl:error] [pid 1391:tid 139642783385344] SSL Library Error: error:14268117:SSL routines:
These are upstream bugs about it:
Firefox: https:/
Chromium: https:/
Apache2 (invalid): https:/
One server workaround is to disable TLSv1.3. Something like this:
SSLProtocol all -SSLv3 -TLSv1.3
("-TLSv1.3" is what was added to that default config)
Sample server config to show the problem (minus the SSL certificate parameters):
<Location />
SSLVerifyClient require
Require ssl-verify-client
</Location>
Another workaround is to move the SSLVerifyClient config to the vhost level. It it applied to the whole vhost, and there are no exceptions in specific blocks, then a re-negotiation isn't triggered and the problem doesn't happen.
Changed in firefox (Ubuntu Eoan): | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in firefox (Ubuntu Disco): | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in firefox (Ubuntu Bionic): | |
assignee: | nobody → Olivier Tilloy (osomon) |
no longer affects: | chromium (Ubuntu Bionic) |
no longer affects: | chromium (Ubuntu Disco) |
no longer affects: | chromium (Ubuntu Eoan) |
no longer affects: | apache2 (Ubuntu) |
no longer affects: | apache2 (Ubuntu Bionic) |
no longer affects: | apache2 (Ubuntu Disco) |
no longer affects: | apache2 (Ubuntu Eoan) |
no longer affects: | chromium (Ubuntu) |
Status changed to 'Confirmed' because the bug affects multiple users.