Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal

Bug #1930430 reported by Horst Platz on 2021-06-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Fix Released
Medium
apache2 (Ubuntu)
Medium
Unassigned
Focal
Medium
Unassigned

Bug Description

Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

After dist-upgrade bionic -> focal and Apache Update

from: 2.4.29-1ubuntu4.14
to: 2.4.41-4ubuntu3.1

Overall I found a hint in

https://downloads.apache.org/httpd/CHANGES_2.4
[...]
  *) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
     [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
[...]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63679

Backported to 2.4.x (r1872226), will be in the next release.

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=markup&pathrev=1872226

-> This is part of 2.4.42 <-

and a overall Question is can you please also backport that Version from
ssl_engine_kernel.c in your 2.4.41-4ubuntu3.1 Apache?

My Further on investigation. I Create a new VM with 20.04 an compile Apache

:~$ apt-get source apache2

The Only thing i do is to replace

:~$ apache2-2.4.41/modules/ssl/ssl_engine_kernel.c

with the downloaded Version from upstream Apache

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?revision=1872226&view=co&pathrev=1872226

The *.deb Packages i Saved away.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Reproduce the Error

Create a New VM with 20.04

:~# apt-get install apache2

:~# mkdir /etc/apache2/ssl
:~# vim /etc/apache2/ssl/letsencryt.crt

in letsencryt.crt has only the intermediate ans rootCA from letsencryt

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerAdmin <email address hidden>
    ServerName localhost

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 2
    SSLProxyCACertificateFile ssl/letsencryt.crt
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
</VirtualHost>

:~# vim /etc/apache2/apache2.conf
LogLevel debug

:~# a2enmod proxy_http ssl

:~# systemctl restart apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I Create a local Firewall for better overview Block outgoing Traffic

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The Proxy crashed because -> connecting to OCSP responder. With the Apache
Version within bionic this does not happend. There is no connection to the
OCSP responder.

:~# curl http://127.0.0.1:80/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:04:11.286448 2021] [authz_core:debug] [pid 6009:tid 140286852331264] mod_authz_core.c(845): [client 127.0.0.1:47958] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:04:11.286530 2021] [proxy:debug] [pid 6009:tid 140286852331264] mod_proxy.c(1253): [client 127.0.0.1:47958] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:04:11.286549 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:04:11.286588 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2379): [client 127.0.0.1:47958] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:04:11.288378 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2588): [client 127.0.0.1:47958] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:04:11.318587 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.318697 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.318726 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:04:11.368501 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:04:11.369207 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:04:11.369934 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured
[Tue Jun 01 14:04:11.370521 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:04:11.517640 2021] [ssl:debug] [pid 6009:tid 140286852331264] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:04:11.521410 2021] [ssl:error] [pid 6009:tid 140286852331264] (101)Network is unreachable: [remote 94.130.99.225:443] AH01974: could not connect to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:04:11.521875 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:04:11.529291 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed
[Tue Jun 01 14:04:11.529591 2021] [ssl:info] [pid 6009:tid 140286852331264] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Tue Jun 01 14:04:11.529708 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80)
[Tue Jun 01 14:04:11.529999 2021] [ssl:info] [pid 6009:tid 140286852331264] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502
[Tue Jun 01 14:04:11.530169 2021] [proxy:error] [pid 6009:tid 140286852331264] (20014)Internal error (specific information not available): [client 127.0.0.1:47958] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:04:11.530288 2021] [proxy:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Jun 01 14:04:11.530379 2021] [proxy_http:error] [pid 6009:tid 140286852331264] [client 127.0.0.1:47958] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 ()
[Tue Jun 01 14:04:11.530482 2021] [proxy:debug] [pid 6009:tid 140286852331264] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org)

:~# tail -f /var/log/ulog/syslogemu.log
Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.160 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=59096 DF PROTO=TCP SPT=52194 DPT=80 SEQ=2173056195 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0
Jun 1 14:04:12 devubu2004 fw-net REJECT IN= OUT=enp0s3 MAC= SRC=10.0.2.15 DST=95.101.91.146 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=32240 DF PROTO=TCP SPT=40016 DPT=80 SEQ=508673920 ACK=0 WINDOW=64240 SYN URGP=0 UID=33 GID=33 MARK=0

:~$ host r3.o.lencr.org
r3.o.lencr.org is an alias for o.lencr.edgesuite.net.
o.lencr.edgesuite.net is an alias for a1887.dscq.akamai.net.
a1887.dscq.akamai.net has address 95.101.91.160
a1887.dscq.akamai.net has address 95.101.91.146
a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5a12
a1887.dscq.akamai.net has IPv6 address 2a02:26f0:10c::5f65:5ac0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Try out open the local Firewall

:~# vim /etc/shorewall/rules
[...]
ACCEPT $FW net:95.101.91.160 tcp http
ACCEPT $FW net:95.101.91.146 tcp http

:~# systemctl reload shorewall

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Does not help crashed with the Following Error

:~$ curl http://127.0.0.1:80/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request<p>Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:08:02.137740 2021] [authz_core:debug] [pid 6009:tid 140286835545856] mod_authz_core.c(845): [client 127.0.0.1:47974] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:08:02.137793 2021] [proxy:debug] [pid 6009:tid 140286835545856] mod_proxy.c(1253): [client 127.0.0.1:47974] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:08:02.137803 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:08:02.137810 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2379): [client 127.0.0.1:47974] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:08:02.137817 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2588): [client 127.0.0.1:47974] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:08:02.167485 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.168160 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.168655 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:08:02.216198 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:08:02.217565 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:08:02.218976 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_ocsp.c(76): [remote 94.130.99.225:443] AH01918: no OCSP responder specified in certificate and no default configured
[Tue Jun 01 14:08:02.219265 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_engine_kernel.c(1764): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:08:02.358471 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(96): [remote 94.130.99.225:443] AH01973: connecting to OCSP responder 'r3.o.lencr.org'
[Tue Jun 01 14:08:02.386985 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(124): [remote 94.130.99.225:443] AH01975: sending request to OCSP responder
[Tue Jun 01 14:08:02.579215 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Server: nginx
[Tue Jun 01 14:08:02.581036 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Type: application/ocsp-response
[Tue Jun 01 14:08:02.581749 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Content-Length: 503
[Tue Jun 01 14:08:02.581822 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: ETag: "17C919F5E6C36BB41BEAF2C8A1BD012BBFDC3157CAC59588FBFDAE973D089853"
[Tue Jun 01 14:08:02.581843 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Last-Modified: Mon, 31 May 2021 09:00:00 UTC
[Tue Jun 01 14:08:02.581859 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Cache-Control: public, no-transform, must-revalidate, max-age=43160
[Tue Jun 01 14:08:02.581875 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Expires: Wed, 02 Jun 2021 02:07:22 GMT
[Tue Jun 01 14:08:02.581891 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Date: Tue, 01 Jun 2021 14:08:02 GMT
[Tue Jun 01 14:08:02.581906 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(234): [remote 94.130.99.225:443] AH01981: OCSP response header: Connection: close
[Tue Jun 01 14:08:02.581922 2021] [ssl:debug] [pid 6009:tid 140286835545856] ssl_util_ocsp.c(282): [remote 94.130.99.225:443] AH01987: OCSP response: got 503 bytes, 503 total
[Tue Jun 01 14:08:02.583980 2021] [ssl:error] [pid 6009:tid 140286835545856] AH01924: Bad OCSP responder answer (bad nonce)
[Tue Jun 01 14:08:02.585222 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02276: Certificate Verification: Error (50): application verification failure [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:08:02.586201 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH02003: SSL Proxy connect failed
[Tue Jun 01 14:08:02.587160 2021] [ssl:info] [pid 6009:tid 140286835545856] SSL Library Error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Tue Jun 01 14:08:02.587226 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01998: Connection closed to child 0 with abortive shutdown (server localhost:80)
[Tue Jun 01 14:08:02.587272 2021] [ssl:info] [pid 6009:tid 140286835545856] [remote 94.130.99.225:443] AH01997: SSL handshake failed: sending 502
[Tue Jun 01 14:08:02.587354 2021] [proxy:error] [pid 6009:tid 140286835545856] (20014)Internal error (specific information not available): [client 127.0.0.1:47974] AH01084: pass request body failed to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:08:02.587391 2021] [proxy:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Jun 01 14:08:02.587407 2021] [proxy_http:error] [pid 6009:tid 140286835545856] [client 127.0.0.1:47974] AH01097: pass request body failed to 94.130.99.225:443 (localhorst.org) from 127.0.0.1 ()
[Tue Jun 01 14:08:02.587424 2021] [proxy:debug] [pid 6009:tid 140286835545856] proxy_util.c(2340): AH00943: HTTPS: has released connection for (localhorst.org)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Close the Firewall Again

:~# vim /etc/shorewall/rules
[...]
#ACCEPT $FW net:95.101.91.160 tcp http
#ACCEPT $FW net:95.101.91.146 tcp http

:~# systemctl reload shorewall

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Installed the self compiled apache Version withe the Pateched ssl_engine_kernel.c
Version

:~# cd /home/vagrant/deb/

:~# dpkg -i apache2_2.4.41-4ubuntu3.1_amd64.deb apache2-bin_2.4.41-4ubuntu3.1_amd64.deb apache2-data_2.4.41-4ubuntu3.1_all.deb apache2-utils_2.4.41-4ubuntu3.1_amd64.deb

:~# systemctl stop apache2
:~# systemctl start apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Apache Proxy is working again as expected

:~# curl http://127.0.0.1:80/
-> webite is comming

:~# tail -f /var/log/apache2/error.log
[Tue Jun 01 14:11:47.953485 2021] [authz_core:debug] [pid 7437:tid 140452002883328] mod_authz_core.c(845): [client 127.0.0.1:47980] AH01628: authorization result: granted (no directives)
[Tue Jun 01 14:11:47.953554 2021] [proxy:debug] [pid 7437:tid 140452002883328] mod_proxy.c(1253): [client 127.0.0.1:47980] AH01143: Running scheme https handler (attempt 0)
[Tue Jun 01 14:11:47.953570 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2325): AH00942: HTTPS: has acquired connection for (localhorst.org)
[Tue Jun 01 14:11:47.953576 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2379): [client 127.0.0.1:47980] AH00944: connecting https://localhorst.org/ to localhorst.org:443
[Tue Jun 01 14:11:47.955415 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2588): [client 127.0.0.1:47980] AH00947: connected / to localhorst.org:443
[Tue Jun 01 14:11:47.985343 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3054): AH02824: HTTPS: connection established with 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:11:47.985479 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(3240): AH00962: HTTPS: connection complete to 94.130.99.225:443 (localhorst.org)
[Tue Jun 01 14:11:47.985505 2021] [ssl:info] [pid 7437:tid 140452002883328] [remote 94.130.99.225:443] AH01964: Connection to child 0 established (server localhost:80)
[Tue Jun 01 14:11:48.034945 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 2, CRL checking mode: none (0) [subject: CN=DST Root CA X3,O=Digital Signature Trust Co. / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 44AFB080D6A327BA893039862EF8406B / notbefore: Sep 30 21:12:19 2000 GMT / notafter: Sep 30 14:01:15 2021 GMT]
[Tue Jun 01 14:11:48.035920 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=R3,O=Let's Encrypt,C=US / issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. / serial: 400175048314A4C8218C84A90C16CDDF / notbefore: Oct 7 19:21:40 2020 GMT / notafter: Sep 29 19:21:40 2021 GMT]
[Tue Jun 01 14:11:48.036745 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(1759): [remote 94.130.99.225:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:11:48.067180 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_engine_kernel.c(2249): [remote 94.130.99.225:443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 01 14:11:48.068469 2021] [ssl:debug] [pid 7437:tid 140452002883328] ssl_util_ssl.c(476): AH02412: [localhost:80] Cert matches for name 'localhorst.org' [subject: CN=localhorst.org / issuer: CN=R3,O=Let's Encrypt,C=US / serial: 04235D2681C6834352A845E6D1745969DCCE / notbefore: May 13 08:11:44 2021 GMT / notafter: Aug 11 08:11:44 2021 GMT]
[Tue Jun 01 14:11:48.227809 2021] [proxy:debug] [pid 7437:tid 140452002883328] proxy_util.c(2340): AH00943: https: has released connection for (localhorst.org)

Regards Horst

Revision history for this message
In , Luhliari (luhliari) wrote :

Created attachment 36728
Patch fixing the bug

Hi all,

in the commit r1826995 a following change has been made to ssl_callback_SSLVerify function in ssl_engine_kernel.c:

- if (ok && sc->server->ocsp_enabled == TRUE) {
+ if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true.

I'm proposing this change:

- if (ok && sc->server->ocsp_enabled) {
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug.

Attaching patch. Please merge it to 2.4.x if possible.

Revision history for this message
In , Ylavic-dev (ylavic-dev) wrote :

Thanks for spotting and the patch, applied in r1865740.
I will propose it for backport soon, waiting a bit for others' review.

Revision history for this message
In , Ylavic-dev (ylavic-dev) wrote :

Backported to 2.4.x (r1872226), will be in the next release.

Revision history for this message
In , tititou (christophe-jaillet) wrote :

This is part of 2.4.42

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote (last edit ):

Despite the fact that we did not reproduce the mentioned issue while performing the triage for this bug, we did verify that the buggy code, patched by https://bz.apache.org/bugzilla/show_bug.cgi?id=63679, is present in focal.

The patch is available at https://bz.apache.org/bugzilla/attachment.cgi?id=36728&action=diff

Changed in apache2 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in apache2 (Ubuntu Focal):
status: New → Triaged
importance: Undecided → Medium
Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Changed in apache2:
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.