** No longer affects: openssl (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to
apache2.2.4.29-1ubuntu4.7 also fixed the issue for us. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated
I can confirm that the bug was fixed by installing the updated
2.4.29-1ubuntu4.7 package from bionic-proposed. Thank you all for your
help.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
The apache2 DEP8 tests are now clear across the board for bionic and
cosmic:
https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#apache2
https://people.canonical.com/~ubuntu-archive/proposed-
migration/cosmic/update_excuses.html#apache2
--
You received
There are dozens of cosmic tests still running
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due
I'm checking.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in
Hello Benjamin, or anyone else affected,
Accepted apache2 into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
Packages uploaded to their respective -proposed queues, it's up to the
SRU team now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2:
I followed the test steps in the description and I can confirm the fix
works as expected. Thanks Andreas for making a complicated setup so easy
to test!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
** Changed in: apache2 (Ubuntu Cosmic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: apache2
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369541
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369542
--
You received this bug notification because you are a
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
- Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ Under the following conditions, https connections using client cert
authentication will suffer a long
client key
** Attachment added: "client-auth.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a
server certificate
** Attachment added: "ubuntu.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
client certificate
** Attachment added: "client-auth.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl
server key
** Attachment added: "ubuntu.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
fake CA
** Description changed:
[Impact]
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ * TLSv1.2
+ * client certificate authentication in use
+ * a Location, Directory, or other such
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
@Andreas Hasenack:
Many thanks - the patches from your PPA worked.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client
@ahasenack:
Yes, that ppa (in #19) also solved the problem mentinoned in my linked
bugreport
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833896
A big "thank you" to you and all others who helped to solve this
problem!!
--
You received this bug notification because you are a
The PPA has cosmic and bionic packages. I tested with the prefork,
worked and event MPMs, and also ran the apache DEP8 tests. All passed.
I'll prepare MPs, update this bug with the SRU template and testing
instructions, and get ready to release this early next week.
--
You received this bug
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Bionic)
I think this patch worked:
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844
Could you please try the build from my ppa:
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039
--
You received this bug notification because you are a member of
https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the block instantly
returns the document. So it does appear to be ONLY the renegotiation case.
"
That works here too, in my simple test case. I had this location directive:
This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and
the commit pointed out in comment #9 mentions TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
I can try some or all of the patches mentioned in
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2
That bug might be a duplicate, btw. (or this one)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Same thing. Another, or an additional, fix is needed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated
I can reproduce this with stock bionic (plus updates applied).
==> /var/log/apache2/error.log <==
[Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240]
[client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed
It's a bit complicated to setup, as usual with SSL
I've tried it and its not working for me. Do you need some log or
something I can try?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2:
Thanks for the reports and comments. I setup a PPA with patch pointed
out by xnox in comment #7 on bionic's apache2 source package:
https://launchpad.net/~legovini/+archive/ubuntu/apache2-lp1833039
It would be great to have some feedback on the effectiveness of the
patch. Thank you!
--
You
apt-get update && apt-get install -y --no-install-recommends --allow-downgrades
\
libssl1.1=1.1.0g-2ubuntu4.3 openssl=1.1.0g-2ubuntu4.3 \
Temporary fix this issue particularly painful in production
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
@xnox: I think you are right with mod_ssl; I run apache2 2.4.39 (built from
sources, the above mentioned mod_ssl-patch is probably included here?) on
ubuntu 18.04 and was not aware I had to rebuild it after the ubuntu-update to
OpenSSL 1.1.1; after the rebuild everything seems to be fine!
** Tags added: regression-update rls-bb-incoming
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due
I think for this ticket we want:
commit b5872f95b64177212b2e129dcae15d91c46abbc8
Author: Yann Ylavic
Date: Fri Jun 15 11:12:19 2018 +
mod_ssl: disable check for client initiated renegotiations with TLS 1.3.
This is already forbidden by the protocol, enforced by OpenSSL, and
@ssp297
I believe this is different. renegotiation & client certs do not depend
on each other, and can be used together or separately.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
@benjamin
I believe disabling TLSv1.3 via openssl.cnf tweak would work too,
without downgrading openssl.
Ie. Using something like this https://launchpadlibrarian.net/428208982
/cap-to-tls1.2.patch
(Probably without the CipherString line, which will raise security
requirements higher than the
see also
https://bugs.launchpad.net/apache2/+bug/1833896
duplicate?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openssl (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apache2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
42 matches
Mail list logo
