[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 Yann Ylavic changed: What|Removed |Added CC||chr...@majestic.com --- Comment #13 from Yann Ylavic --- *** Bug 68969 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #12 from Ruediger Pluem --- Proposed for backport as r1917010. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #11 from paolo --- Hi Ruediger, many thanks for the fix. When do you plan a new httpd containing this fix? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #10 from Thomas Jarosch --- thanks for the quick fix, Ruediger! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 Ruediger Pluem changed: What|Removed |Added Keywords||FixedInTrunk, ||PatchAvailable --- Comment #9 from Ruediger Pluem --- Committed r1916863 to trunk. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #8 from Thomas Jarosch --- (In reply to Ruediger Pluem from comment #6) > Can you please check if the below patch fixes your issue? I can also confirm that the patch fixes the issue on openssl 1.1.1. Our openssl related tests PASS using the patched httpd. The test also verifies the DHE prime length is at least 2048 bits. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 paolo changed: What|Removed |Added Status|NEEDINFO|NEW -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #7 from paolo --- Hi Ruediger, > Can you please check if the below patch fixes your issue? yes, it does. > Can you check if adding explicit DH parameters (created via openssl dhparam > 2048) to your certificate file fixes the issue with and without patch? Yes, adding the DH parameters to the certificate file works with and without the patch Many thanks -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 Ruediger Pluem changed: What|Removed |Added Status|NEW |NEEDINFO -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #6 from Ruediger Pluem --- Can you please check if the below patch fixes your issue? Index: modules/ssl/ssl_engine_init.c === --- modules/ssl/ssl_engine_init.c (revision 1916856) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -1346,6 +1346,7 @@ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; int i; EVP_PKEY *pkey; +int done = 0; #ifdef HAVE_ECC EC_GROUP *ecgroup = NULL; int curve_nid = 0; @@ -1518,7 +1519,7 @@ */ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); if (certfile && !modssl_is_engine_id(certfile)) { -int done = 0, num_bits = 0; +int num_bits = 0; #if OPENSSL_VERSION_NUMBER < 0x3000L DH *dh = modssl_dh_from_file(certfile); if (dh) { @@ -1546,7 +1547,7 @@ } } #if !MODSSL_USE_OPENSSL_PRE_1_1_API -else { +if (!done) { /* If no parameter is manually configured, enable auto * selection. */ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); Can you check if adding explicit DH parameters (created via openssl dhparam 2048) to your certificate file fixes the issue with and without patch? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #5 from paolo --- Hi Ruediger, I just attached the log you asked. Here part where the connection fails: [Mon Apr 08 10:00:13.507966 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH01964: Connection to child 5 established (server localhost:44300) [Mon Apr 08 10:00:13.508210 2024] [ssl:debug] [pid 1597292:tid 140007736858176] ssl_engine_kernel.c(2425): [client 127.0.0.1:37142] AH02645: Server name not provided via TLS extension (using default/first virtual host) [Mon Apr 08 10:00:13.508337 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH02008: SSL library error 1 in handshake (server localhost:44300) [Mon Apr 08 10:00:13.508357 2024] [ssl:info] [pid 1597292:tid 140007736858176] SSL Library Error: error:0AC1:SSL routines::no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate? [Mon Apr 08 10:00:13.508363 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH01998: Connection closed to child 5 with abortive shutdown (server localhost:44300) Best Regards Paolo -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #4 from paolo --- Created attachment 39653 --> https://bz.apache.org/bugzilla/attachment.cgi?id=39653=edit Log wit ssl:debug enabled -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #3 from Ruediger Pluem --- Can you please increase the loglevel to debug and provide the output from the error log when starting apache and during a failed connection? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 Eric Covener changed: What|Removed |Added Version|2.5-HEAD|2.4.59 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 --- Comment #2 from Thomas Jarosch --- "openssl s_client" command to specifically request a DHE cipher: openssl s_client -state -cipher DHE -tls1_2 -connect HOSTNAME:443 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863 Thomas Jarosch changed: What|Removed |Added CC||thomas.jaro...@intra2net.co ||m --- Comment #1 from Thomas Jarosch --- Thanks for the report, I'm also seeing this. Our automated QA suite for our distro identified the same issue. We automatically test different ciphers. The DHE ciphers using TLS v1.2 no longer work since upgrading from 2.4.58 to 2.4.59. Openssl version used is openssl-1.1.1u here. ECDHE ciphers still work, just DHE is affected. I've quickly browsed through the 2.4.58..2.4.59 commits but didn't spot anything obvious. My gut feeling is that it might be related to the changed openssl initialization, but that's a wild guess. This is our cipher configuration, DHE is de-prioritized to come last: SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 SSLProtocol-TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org