https://bz.apache.org/bugzilla/show_bug.cgi?id=64263
Bug ID: 64263
Summary: TLSv1.3 with SSLVerifyClient optional inside a
Location returns 403
Product: Apache httpd-2
Version: 2.4.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi,
I have just ran into this on Ubuntu 18.04, as they just backported r1840585
into what they release is 2.4.29-1ubuntu4.13.
I have a config that enables *optional* client TLS authentication for a
specific path:
SSLCACertificateFile "/etc/ssl/certs/api-ca.crt"
<Location /api>
SSLVerifyClient optional
RequestHeader set X509_DN "%{SSL_CLIENT_S_DN}s"
</Location>
This config started breaking with:
[Wed Mar 25 16:08:02.648354 2020] [ssl:error] [pid 1801:tid 140236923303680]
[client 2404:138:46::126:47888] AH: verify client post handshake
[Wed Mar 25 16:08:02.648403 2020] [ssl:error] [pid 1801:tid 140236923303680]
[client 2404:138:46::126:47888] AH10158: cannot perform post-handshake
authentication
[Wed Mar 25 16:08:02.648420 2020] [ssl:error] [pid 1801:tid 140236923303680]
SSL Library Error: error:14268117:SSL
routines:SSL_verify_client_post_handshake:extension not received
I have just confirmed and I get the same 2.4.41 downloaded from
httpd.apache.org.
Just compiling the source distribution with --enable-ssl and adding
LoadModule ssl_module modules/mod_ssl.so
...
Listen 443 https
<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCipherSuite
HIGH:!aNULL:!MD5:!SEED:!IDEA:!RC4:!LOW:!3DES:!kRSA:!SHA1:!SHA256:!SHA384
<Location /api>
SSLVerifyClient optional
</Location>
</VirtualHost>
to httpd.conf reproduces the issue - in logs/error_log, I get:
[Wed Mar 25 22:36:21.822805 2020] [ssl:error] [pid 21499:tid 140218342541056]
[client ::1:52710] AH10158: cannot perform post-handshake authentication
[Wed Mar 25 22:36:21.823030 2020] [ssl:error] [pid 21499:tid 140218342541056]
SSL Library Error: error:14268117:SSL
routines:SSL_verify_client_post_handshake:extension not received
I see the commit message for r1840585 says:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
However, when authentication is optional (SSLVerifyClient optional) and no
client authentication is provided, it should not count as a failure and request
processing should continue...
Cheers,
Vlad
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
