Your message dated Thu, 09 Jul 2020 19:32:09 +0000
with message-id <[email protected]>
and subject line Bug#950300: fixed in mod-gnutls 0.9.0-1.1~deb10u1
has caused the Debian Bug report #950300,
regarding mod-gnutls: apache CVE-2019-10092 fix causes FTBFS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
950300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950300
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mod-gnutls
Version: 0.8.2-3
Severity: serious
Tags: ftbfs

mod-gnutls appears to rely on the exact wording of apache
error messages, and these changed with CVE-2019-10092.

https://buildd.debian.org/status/package.php?p=mod-gnutls&suite=stretch
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mod-gnutls.html

...
FAIL: test-18_client_verification_wrong_cert
============================================

TESTING: 18_client_verification_wrong_cert
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:11.674982 2020] [gnutls:debug] [pid 45519:tid 
139910356628608] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 1.910177 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Successfully sent 1 certificate(s) to server.
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, 
RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 
UTC', expires `2021-01-26 19:56:05 UTC', 
pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
        Public Key ID:
                sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
                
sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
        Public Key PIN:
                pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 403 Forbidden
Date: Mon, 27 Jan 2020 19:56:11 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 199
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
45530 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/18_client_verification_wrong_cert/output 
2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63  2020-01-27 07:56:11.809997988 -1200
@@ -1,7 +1,7 @@
+<html><head>
+<title>403 Forbidden</title>
 </head><body>
 <h1>Forbidden</h1>
-<p>You don't have permission to access /test.txt
-on this server.<br />
-</p>
+<p>You don't have permission to access this resource.</p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 18_client_verification_wrong_cert
[Mon Jan 27 07:56:11.869868 2020] [gnutls:debug] [pid 45630:tid 
139891390706816] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message

Apache error logs:
[Mon Jan 27 07:56:11.697229 2020] [mpm_worker:debug] [pid 45520:tid 
139910356628608] worker.c(1758): AH00294: Accept mutex: sysvsem (default: 
sysvsem)
[Mon Jan 27 07:56:11.697257 2020] [watchdog:debug] [pid 45523:tid 
139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Mon Jan 27 07:56:11.697509 2020] [watchdog:debug] [pid 45525:tid 
139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Mon Jan 27 07:56:11.710332 2020] [gnutls:debug] [pid 45523:tid 
139910314034944] gnutls_hooks.c(1072): [client 127.0.0.1:43624] early_sni_hook: 
Selected virtual host localhost from early SNI, connection server is localhost.
[Mon Jan 27 07:56:11.785399 2020] [gnutls:debug] [pid 45523:tid 
139910314034944] gnutls_io.c(535): [client 127.0.0.1:43624] mgs_filter_input: 
TLS connection opened.
[Mon Jan 27 07:56:11.785673 2020] [gnutls:debug] [pid 45523:tid 
139910314034944] gnutls_hooks.c(1652): [client 127.0.0.1:43624] GnuTLS: A Chain 
of 1 certificate(s) was provided for validation
[Mon Jan 27 07:56:11.785899 2020] [gnutls:debug] [pid 45523:tid 
139910314034944] gnutls_hooks.c(1694): [client 127.0.0.1:43624] GnuTLS: 
Verifying list of 1 certificate(s) via method 'cartel'
[Mon Jan 27 07:56:11.785946 2020] [gnutls:info] [pid 45523:tid 139910314034944] 
[client 127.0.0.1:43624] GnuTLS: Could not find Signer for Peer Certificate
[Mon Jan 27 07:56:11.785955 2020] [gnutls:info] [pid 45523:tid 139910314034944] 
[client 127.0.0.1:43624] GnuTLS: Peer Certificate is invalid.
[Mon Jan 27 07:56:11.786301 2020] [gnutls:debug] [pid 45523:tid 
139910314034944] gnutls_io.c(501): [client 127.0.0.1:43624] mgs_bye: TLS 
connection closed.
FAIL test-18_client_verification_wrong_cert.bash (exit status: 1)

FAIL: test-21_TLS_reverse_proxy_wrong_cert
==========================================

TESTING: 21_TLS_reverse_proxy_wrong_cert
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:46.488371 2020] [gnutls:debug] [pid 49170:tid 
139781586056320] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 34.445301 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:46.547662 2020] [gnutls:debug] [pid 49173:tid 
140479489176704] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 0.000008 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, 
RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 
UTC', expires `2021-01-26 19:56:05 UTC', 
pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
        Public Key ID:
                sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
                
sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
        Public Key PIN:
                pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:46 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49287 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/21_TLS_reverse_proxy_wrong_cert/output   
2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63  2020-01-27 07:56:46.688791422 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 21_TLS_reverse_proxy_wrong_cert
[Mon Jan 27 07:56:46.753779 2020] [gnutls:debug] [pid 49361:tid 
139691557057664] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
[Mon Jan 27 07:56:46.822503 2020] [gnutls:debug] [pid 49369:tid 
140406477767808] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message

Apache error logs:
[Mon Jan 27 07:56:46.645053 2020] [proxy:debug] [pid 49261:tid 140479387662080] 
proxy_util.c(2578): [client 127.0.0.1:43688] AH00947: connected /test.txt to 
localhost:9934
[Mon Jan 27 07:56:46.645210 2020] [proxy:debug] [pid 49261:tid 140479387662080] 
proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:46.645288 2020] [proxy:debug] [pid 49261:tid 140479387662080] 
proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:46.665621 2020] [:warn] [pid 49261:tid 140479387662080] 
[remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. 
The name in the certificate does not match the expected. 
[Mon Jan 27 07:56:46.665655 2020] [gnutls:info] [pid 49261:tid 140479387662080] 
[remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the 
certificate.'
[Mon Jan 27 07:56:46.665812 2020] [proxy_http:error] [pid 49261:tid 
140479387662080] (103)Software caused connection abort: [client 
127.0.0.1:43688] AH01102: error reading status line from remote server 
localhost:9934
[Mon Jan 27 07:56:46.665841 2020] [proxy_http:debug] [pid 49261:tid 
140479387662080] mod_proxy_http.c(1351): [client 127.0.0.1:43688] AH01105: NOT 
Closing connection to client although reading from backend server 
localhost:9934 failed.
[Mon Jan 27 07:56:46.665852 2020] [proxy:error] [pid 49261:tid 140479387662080] 
[client 127.0.0.1:43688] AH00898: Error reading from remote server returned by 
/proxy/test.txt
[Mon Jan 27 07:56:46.665859 2020] [proxy:debug] [pid 49261:tid 140479387662080] 
proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:46.666119 2020] [gnutls:debug] [pid 49261:tid 
140479387662080] gnutls_io.c(501): [client 127.0.0.1:43688] mgs_bye: TLS 
connection closed.
FAIL test-21_TLS_reverse_proxy_wrong_cert.bash (exit status: 1)

FAIL: test-22_TLS_reverse_proxy_crl_revoke
==========================================

TESTING: 22_TLS_reverse_proxy_crl_revoke
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:48.231239 2020] [gnutls:debug] [pid 49371:tid 
140485312394368] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 34.604586 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:48.297053 2020] [gnutls:debug] [pid 49398:tid 
140570227635328] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 0.000011 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, 
RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 
UTC', expires `2021-01-26 19:56:05 UTC', 
pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
        Public Key ID:
                sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
                
sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
        Public Key PIN:
                pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:48 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49469 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/22_TLS_reverse_proxy_crl_revoke/output   
2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63  2020-01-27 07:56:48.456730263 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 22_TLS_reverse_proxy_crl_revoke
[Mon Jan 27 07:56:48.515754 2020] [gnutls:debug] [pid 49563:tid 
140030353167488] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
[Mon Jan 27 07:56:48.584173 2020] [gnutls:debug] [pid 49571:tid 
140202088002688] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message

Apache error logs:
[Mon Jan 27 07:56:48.412814 2020] [proxy:debug] [pid 49466:tid 140570102060800] 
proxy_util.c(2578): [client 127.0.0.1:43692] AH00947: connected /test.txt to 
localhost:9934
[Mon Jan 27 07:56:48.412931 2020] [proxy:debug] [pid 49466:tid 140570102060800] 
proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:48.413000 2020] [proxy:debug] [pid 49466:tid 140570102060800] 
proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:48.435327 2020] [:warn] [pid 49466:tid 140570102060800] 
[remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. 
The certificate chain is revoked. 
[Mon Jan 27 07:56:48.435348 2020] [gnutls:info] [pid 49466:tid 140570102060800] 
[remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the 
certificate.'
[Mon Jan 27 07:56:48.435462 2020] [proxy_http:error] [pid 49466:tid 
140570102060800] (103)Software caused connection abort: [client 
127.0.0.1:43692] AH01102: error reading status line from remote server 
localhost:9934
[Mon Jan 27 07:56:48.435503 2020] [proxy_http:debug] [pid 49466:tid 
140570102060800] mod_proxy_http.c(1351): [client 127.0.0.1:43692] AH01105: NOT 
Closing connection to client although reading from backend server 
localhost:9934 failed.
[Mon Jan 27 07:56:48.435513 2020] [proxy:error] [pid 49466:tid 140570102060800] 
[client 127.0.0.1:43692] AH00898: Error reading from remote server returned by 
/proxy/test.txt
[Mon Jan 27 07:56:48.435519 2020] [proxy:debug] [pid 49466:tid 140570102060800] 
proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:48.435726 2020] [gnutls:debug] [pid 49466:tid 
140570102060800] gnutls_io.c(501): [client 127.0.0.1:43692] mgs_bye: TLS 
connection closed.
FAIL test-22_TLS_reverse_proxy_crl_revoke.bash (exit status: 1)

FAIL: test-23_TLS_reverse_proxy_mismatched_priorities
=====================================================

TESTING: 23_TLS_reverse_proxy_mismatched_priorities
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:44.735239 2020] [gnutls:debug] [pid 48957:tid 
140513797600384] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)'
 created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 29.468541 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:44.806930 2020] [gnutls:debug] [pid 48960:tid 
140579053433984] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
flock: getting lock took 0.000011 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, 
RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 
UTC', expires `2021-01-26 19:56:05 UTC', 
pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
        Public Key ID:
                sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
                
sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
        Public Key PIN:
                pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:44 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49064 ?        00:00:00 sleep
--- 
/build/mod-gnutls-0.9.0/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output
        2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63  2020-01-27 07:56:44.936852027 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a 
href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading 
from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 23_TLS_reverse_proxy_mismatched_priorities
[Mon Jan 27 07:56:44.997278 2020] [gnutls:debug] [pid 49148:tid 
140644500755584] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' 
created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message
[Mon Jan 27 07:56:45.068445 2020] [gnutls:debug] [pid 49156:tid 
140440329122944] gnutls_cache.c(354): mgs_cache_inst_config: Socache 
'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)'
 created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified 
domain name, using 127.0.0.1. Set the 'ServerName' directive globally to 
suppress this message

Apache error logs:
[Mon Jan 27 07:56:44.909088 2020] [proxy:debug] [pid 49049:tid 140579019003648] 
proxy_util.c(2578): [client 127.0.0.1:43684] AH00947: connected /test.txt to 
localhost:9934
[Mon Jan 27 07:56:44.909229 2020] [proxy:debug] [pid 49049:tid 140579019003648] 
proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:44.909304 2020] [proxy:debug] [pid 49049:tid 140579019003648] 
proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 
(localhost)
[Mon Jan 27 07:56:44.911004 2020] [gnutls:info] [pid 49049:tid 140579019003648] 
[remote 127.0.0.1:9934] GnuTLS: Handshake Alert (40) 'Handshake failed'.
[Mon Jan 27 07:56:44.911023 2020] [gnutls:info] [pid 49049:tid 140579019003648] 
[remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has 
been received.'
[Mon Jan 27 07:56:44.911150 2020] [proxy_http:error] [pid 49049:tid 
140579019003648] (103)Software caused connection abort: [client 
127.0.0.1:43684] AH01102: error reading status line from remote server 
localhost:9934
[Mon Jan 27 07:56:44.911188 2020] [proxy_http:debug] [pid 49049:tid 
140579019003648] mod_proxy_http.c(1351): [client 127.0.0.1:43684] AH01105: NOT 
Closing connection to client although reading from backend server 
localhost:9934 failed.
[Mon Jan 27 07:56:44.911199 2020] [proxy:error] [pid 49049:tid 140579019003648] 
[client 127.0.0.1:43684] AH00898: Error reading from remote server returned by 
/proxy/test.txt
[Mon Jan 27 07:56:44.911207 2020] [proxy:debug] [pid 49049:tid 140579019003648] 
proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:44.911520 2020] [gnutls:debug] [pid 49049:tid 
140579019003648] gnutls_io.c(501): [client 127.0.0.1:43684] mgs_bye: TLS 
connection closed.
FAIL test-23_TLS_reverse_proxy_mismatched_priorities.bash (exit status: 1)

============================================================================
Testsuite summary for mod_gnutls 0.9.0
============================================================================
# TOTAL: 35
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  4
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
============================================================================
make[6]: *** [Makefile:1093: test-suite.log] Error 1

--- End Message ---
--- Begin Message ---
Source: mod-gnutls
Source-Version: 0.9.0-1.1~deb10u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
mod-gnutls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mod-gnutls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Jul 2020 00:37:00 +0300
Source: mod-gnutls
Architecture: source
Version: 0.9.0-1.1~deb10u1
Distribution: buster
Urgency: medium
Maintainer: Daniel Kahn Gillmor <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 950300 950301
Changes:
 mod-gnutls (0.9.0-1.1~deb10u1) buster; urgency=medium
 .
   * Non-maintainer upload.
   * Rebuild for buster.
 .
 mod-gnutls (0.9.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Backported patches to fix test failures with the
     apache CVE-2019-10092 fix. (Closes: #950300)
   * Disable a test that fails with GnuTLS >= 3.6.11. (Closes: #950301)
   * Backported a fix for a possible segfault on failed TLS handshake.
Checksums-Sha1:
 a9ccb04876baf445cfd47287e8fd18a94db9fa2e 2637 mod-gnutls_0.9.0-1.1~deb10u1.dsc
 a91205342a6dfb82574abdca4b636d75fce1ddd5 12456 
mod-gnutls_0.9.0-1.1~deb10u1.debian.tar.xz
Checksums-Sha256:
 bc39f5de91c265d05cdecba965e5c63af979fdff15bb6908dbe9097c3656e93a 2637 
mod-gnutls_0.9.0-1.1~deb10u1.dsc
 00207c426cb1bb433323b2aa509c134c584f7e66744fe98d0fe0b46257e3c927 12456 
mod-gnutls_0.9.0-1.1~deb10u1.debian.tar.xz
Files:
 1139f56d2f8297aa3a1f9a0ad0c1efff 2637 httpd optional 
mod-gnutls_0.9.0-1.1~deb10u1.dsc
 4ee6731d6973ba8d2e5308122224fbb9 12456 httpd optional 
mod-gnutls_0.9.0-1.1~deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8DmlcACgkQiNJCh6LY
mLHVDw/7Byi7n5OVECtcMhoXNDX4kC7tT/vcFfgdqwyMdx0mHpcybh40SInbKjkF
GdRyPoXTcYJVvpl5JqBDXGxlBjpat7stZHE/GXJkag9wiUcOF6YUaVUyoKNkfbeD
xMfNEhVU9I91CcdG7cTMJer4yNfRp5ktyYRTe1CSotFsFVjBKpVPoF1fyV7q3xqY
KqzFJzVgIiLOSqZF47CsXCXm7IsCmCVsA0jUkT5yd2bucVEbobUYz/x3LBRKgVUi
BQBnmG5/YGouQfafJXbuZ4U+3jI3CJ21ya/tmOFyI8NO8BRg30qrsv8XeGcMJ3IQ
0UUmfidXbkxetmyyR/Yh4sL1TPTcXaE8dnbuqH/LRAFk//KZPynRWq5JuQNnm1j0
ebwl/DMe7MJPqD1lM3s4lARHQndG+tw/4fKrlfcIdKyXa6H5+FKBGE6/mUH6ZaoE
JDMo9Zto3huEIOfBM/6oTaGNuIVdvuTapMgLEevq0jpEWUX6elevITMfr2Xiy2ER
MN+TkDNGUsN2qSHXgC9Qgo4/1drPwKha29FmGpfHYs9M37PS82uUJ5sQEAoBEJ4u
GUbhwIyuYD8H/38JhzMCAzjM2YdMW0bBKpqKxWdprAEz7nkhFfoUZDZ5lM52busD
8VDUSlNZxbzsW9hhLr96+Dqc7DUwwtgG+8kHfElcp+pGVvVcR2M=
=2SAn
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to