https://bz.apache.org/bugzilla/show_bug.cgi?id=64263
--- Comment #2 from Vlad Mencl <[email protected]> --- Hi, I have investigated this issue further... I now understand that for essentially all HTTPS clients, it is necessary to update SSL API calls to support TLSv1.3 post-handshake authentication. And I have also checked with a version of curl built right off the top of the github repo (7.70.0-DEV) - as an example of a client capable of post-handshake authentication. With this version of curl, Apache 2.4.49 works over TLSv1.3 with "SSLVerify optional" inside a <Location> for both authenticated and unauthenticated requests (client providing or not providing a client certificate). The tricky edge-case is my use case of unauthenticated API (SSLVerify optional) - that used to work on older versions of Apache 2.4 over TLSv1.3 (with the initial support provided earlier) even with older clients only (not capable of post-handshake authentication), like curl 7.58.0 (bundled with Ubuntu 18.04), but breaks with 2.4.49 (as far as I can tell, due to the changes in r1840585. I agree the main way forward is updating all clients to support TLSv1.3 properly - including post-handshake authentication. The point of this bug report is whether to let older clients (not supporting post-handshake authentication) get by when authentication is not required. Please let me know if you think this is worth addressing. Cheers, Vlad -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
