[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #10 from Peter Pramberger --- PHA is incompatible with HTTP/2 (see RFC8740), that's the reason why it is disabled by default. https://hg.mozilla.org/mozilla-central/rev/1bb8ad865648: // Turn off post-handshake authentication for TLS 1.3 by default, // until the incompatibility with HTTP/2 is resolved: // https://tools.ietf.org/html/draft-davidben-http2-tls13-00 pref("security.tls.enable_post_handshake_auth", false); -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 Ruediger Pluem changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #9 from apache.4d...@nospam.spacesurfer.com --- In filefox there is a config parameter you can set to enable pha security.tls.enable_post_handshake_auth for some reason it defaults to false. If I set this to true then all works find with TLS1.3. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #8 from apache.4d...@nospam.spacesurfer.com --- It does look like a browser issue -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #7 from Ruediger Pluem --- Thanks for the update. But this is a client issue. From the logfiles you sent for the failing 2.4.43 case: [Tue Apr 21 13:16:33.534521 2020] [ssl:debug] [pid 52721] ssl_engine_kernel.c(1147): [client 127.0.0.1:47459] AH10129: verify client post handshake [Tue Apr 21 13:16:33.534546 2020] [ssl:error] [pid 52721] [client 127.0.0.1:47459] AH10158: cannot perform post-handshake authentication [Tue Apr 21 13:16:33.534585 2020] [ssl:error] [pid 52721] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received The client does not sent the SSL_verify_client_post_handshake:extension. When testing with openssl s_client please ensure to set the -enable_pha option. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #6 from apache.4d...@nospam.spacesurfer.com --- You are correct, firefox 75 (with openssl 1.1.1f) uses TLS 1.2 with apache 2.4.41 and TLS 1.3 with apache 2.4.43, the server also has openssl 1.1.1f. Note that before I filed the bug I tested both server setups with openssl 1.1.1e and I tried chromium 80.0.3987.163 on the client. All combinations I tried had the same result (2.4.41 worked, 2.4.43 didn't). My apache configuration also had SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 if I change it to SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3 then 2.4.43 works fine -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #5 from Ruediger Pluem --- Can you please check if you use TLS 1.3 when connecting against 2.4.43 and TLS < 1.3 when connecting against 2.4.41? It is possible that the client does not turn on client cert support in the TLS 1.3 case. See also https://github.com/openssl/openssl/issues/6933 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #4 from apache.4d...@nospam.spacesurfer.com --- I have attache debug level logging for both versions of apache. For 2.4.41 we get [client 127.0.0.1:22877] AH02034: Initial (No.1) HTTPS request received for child 3 (server patrick.spacesurfer.com:443), referer: https://patrick.spacesurfer.com/s/ [client 127.0.0.1:22877] AH02255: Changed client verification type will force renegotiation, referer: https://patrick.spacesurfer.com/s/ [client 127.0.0.1:22877] AH02221: Requesting connection re-negotiation, referer: https://patrick.spacesurfer.com/s/ [client 127.0.0.1:22877] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation), referer: https://patrick.spacesurfer.com/s/ For 2.4.43 there is no renegotiation forced: AH02034: Initial (No.1) HTTPS request received for child 1 (server patrick.spacesurfer.com:443) AH10129: verify client post handshake -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 apache.4d...@nospam.spacesurfer.com changed: What|Removed |Added Attachment #37191|debug level logging for |debug level logging for description|apache 2.4.33 |apache 2.4.43 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #2 from apache.4d...@nospam.spacesurfer.com --- Created attachment 37191 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37191=edit debug level logging for apache 2.4.33 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #3 from apache.4d...@nospam.spacesurfer.com --- Created attachment 37192 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37192=edit debug level logging for apache 2.4.41 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 64368] SSLVerifyClient in location context broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=64368 --- Comment #1 from Ruediger Pluem --- Can you please provide debug level error logs for the 2.4.41 and 2.4.43 case where you access something below /s? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org