apache 2.4.29-1ubuntu4.12 authentication with client certificate broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Release Notes for Ubuntu |
Confirmed
|
Undecided
|
Unassigned | ||
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Marc Deslauriers | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
python-urllib3 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
requests (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to apache 2.4.29-1ubuntu4.12 authentication with client certificate stopped working. No certificate is requested from client browser and apahce log has error:
[Tue Mar 03 16:03:34.964389 2020] [ssl:debug] [pid 12384:tid 139853354215168] ssl_engine_
[Tue Mar 03 16:03:36.499614 2020] [ssl:debug] [pid 12383:tid 139853481088768] ssl_engine_
[Tue Mar 03 16:03:37.714744 2020] [ssl:debug] [pid 12384:tid 139853481088768] ssl_engine_
[Tue Mar 03 16:03:37.714941 2020] [ssl:error] [pid 12384:tid 139853481088768] AH: verify client post handshake, referer: https:/
A temporary workaround is to disable the whole TLSv1.3 protocol in the vhost configuration.
---
ProblemType: Bug
Apache2ConfdDir
Apache2Modules:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.4.138. Set the 'ServerName' directive globally to suppress this message
httpd (pid 13567) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
DistroRelease: Ubuntu 18.04
InstallationDate: Installed on 2010-05-21 (3576 days ago)
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
Package: apache2 2.4.29-1ubuntu4.12
PackageArchitec
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
Tags: bionic
Uname: Linux 4.15.0-88-generic x86_64
UpgradeStatus: Upgraded to bionic on 2018-10-16 (505 days ago)
UserGroups:
_MarkForUpload: True
error.log:
[Thu Mar 05 06:25:05.942445 2020] [ssl:warn] [pid 13567:tid 140475868056512] AH01909: klient.
[Thu Mar 05 06:25:05.945212 2020] [mpm_worker:notice] [pid 13567:tid 140475868056512] AH00292: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.5.17 Python/3.6 configured -- resuming normal operations
[Thu Mar 05 06:25:05.945234 2020] [core:notice] [pid 13567:tid 140475868056512] AH00094: Command line: '/usr/sbin/apache2'
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
tags: | added: bionic-openssl-1.1 |
tags: | added: server-next |
Changed in apache2 (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in requests (Ubuntu): | |
status: | New → Confirmed |
Changed in python-urllib3 (Ubuntu): | |
status: | New → Confirmed |
Changed in ubuntu-release-notes: | |
status: | New → Confirmed |
tags: | removed: server-next |
tags: | added: rls-ii-incoming |
tags: | removed: rls-ii-incoming |
tags: | added: server-triage-discuss |
Changed in apache2 (Ubuntu Jammy): | |
status: | In Progress → Fix Released |
Changed in python-urllib3 (Ubuntu Jammy): | |
status: | Confirmed → Fix Released |
Changed in requests (Ubuntu Jammy): | |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu Focal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Jammy): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Hi Riho,
Thank you for taking the time to report this bug. I've mentioned this on bug LP: #1845263 as a possible regression related to the
2.4.29-1ubuntu4.12 update that backported the TLSv1.3 support to bionic. That update indicated some expectation that certain environments might be adversely affected when the new protocol is added, so it would be helpful to understand in more detail about your particular setup. That may help identify what went wrong precisely in this case.
Please execute the following command, as it will automatically gather debugging information, in a terminal:
apport-collect 1865900
Alternatively, if you want to manually attach things (e.g. so you can remove any sensitive information), the files this collects includes:
/etc/apache2/ apache2. conf sites-enabled/ * apache2/ error.log apachectl -D DUMP_MODULES`
/etc/apache2/
/etc/apache2/conf.d
/var/log/
`/usr/sbin/
Obviously the piece that'll need more examination is the client certificate configuration, so if there are other config files or logs of relevance to that you're aware of, those details could be useful as well.