[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** No longer affects: openssl (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 10918
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
apache2.2.4.29-1ubuntu4.7 also fixed the issue for us. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I can confirm that the bug was fixed by installing the updated
2.4.29-1ubuntu4.7 package from bionic-proposed. Thank you all for your
help.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
The apache2 DEP8 tests are now clear across the board for bionic and
cosmic:
https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#apache2
https://people.canonical.com/~ubuntu-archive/proposed-
migration/cosmic/update_excuses.html#apache2
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
There are dozens of cosmic tests still running
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I'm checking.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Hello Benjamin, or anyone else affected,
Accepted apache2 into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-cosmic to verification-done-cosmic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-cosmic. In either case, without details of
your testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: apache2 (Ubuntu Cosmic)
Status: In Progress => Fix Committed
** Tags added: verification-needed verification-needed-cosmic
** Changed in: apache2 (Ubuntu Bionic)
Status: In Progress => Fix Committed
** Tags added: verification-needed-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
Fix Committed
Status in apache2 source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Packages uploaded to their respective -proposed queues, it's up to the
SRU team now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
In Progress
Status in apache2 source package in Cosmic:
In Progress
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I followed the test steps in the description and I can confirm the fix
works as expected. Thanks Andreas for making a complicated setup so easy
to test!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
In Progress
Status in apache2 source package in Cosmic:
In Progress
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received %
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Changed in: apache2 (Ubuntu Cosmic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: apache2 (Ubuntu Cosmic)
Importance: Undecided => High
** Changed in: apache2 (Ubuntu)
Importance: Undecided => Critical
** Changed in: apache2 (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: apache2 (Ubuntu)
Importance: Critical => High
** Changed in: apache2 (Ubuntu Bionic)
Status: Confirmed => In Progress
** Changed in: apache2 (Ubuntu Cosmic)
Status: Confirmed => In Progress
** Changed in: openssl (Ubuntu)
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
In Progress
Status in apache2 source package in Cosmic:
In Progress
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369541
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369542
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Invalid
Status in apache2 source package in Bionic:
In Progress
Status in apache2 source package in Cosmic:
In Progress
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
cd /root
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
- client-auth.key
- client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html
Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid
140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout
That is due to modreqtimeout kicking in.
In the access.log file, we will
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
+ cd /root
+ wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
client-auth.key
client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html
Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid
140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout
That is due to modreqtimeout kicking in.
In the access.log file, we will
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html
Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid
140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout
That is due to modreqtimeout kicking in.
In the access.log file, we will have the request:
10.0.100.215 - - [01/Jul/2019:14:15:22 +] "GET / HTTP/1.1" 200 16544 "-"
"curl/7.58.0" protocol=TLSv1.2 commonName=client-auth
The protocol and commonName parts confirm the protocol that was used, and
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Description changed:
[Impact]
- Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
-
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html
Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid
140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout
That is due to modreqtimeout kicking in.
In the access.log file, we will have the request:
10.0.100.215 - - [01/Jul/2019:14:15:22 +] "GET /
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
client key
** Attachment added: "client-auth.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
-
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
- ubuntu.pem
- ubuntu.key
- cacert.pem
+ cd /etc/apache2
+ wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
+
+ Adjust permissions of the key file:
+ chmod 0640 /etc/apache2/ubuntu.key
+ chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
- Adjust permissions of the key file:
- chmod 0640 /etc/apache2/ubuntu.key
- chgrp www-data /etc/apache2/ubuntu.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll index.html
-rw-r--r-- 1 root root 10918 Jul 1 14:15 index.html
Apache will log this in the error.log file:
[Mon Jul 01 14:15:38.014784 2019] [reqtimeout:info] [pid 1685:tid
140326278772480] [client 10.0.100.215:35108] AH01382: Request body read timeout
That
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
server certificate
** Attachment added: "ubuntu.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Confirmed
Status in openssl package in Ubuntu:
Incomplete
Status in apache2 source package in Bionic:
Confirmed
Status in apache2 source package in Cosmic:
Confirmed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
client certificate
** Attachment added: "client-auth.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Confirmed
Status in openssl package in Ubuntu:
Incomplete
Status in apache2 source package in Bionic:
Confirmed
Status in apache2 source package in Cosmic:
Confirmed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
server key
** Attachment added: "ubuntu.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
Status in apache2 package in Ubuntu:
Confirmed
Status in openssl package in Ubuntu:
Incomplete
Status in apache2 source package in Bionic:
Confirmed
Status in apache2 source package in Cosmic:
Confirmed
Bug description:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
default:
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
cd /etc/apache2
wget
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
LogLevel info ssl:warn
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
ErrorLog \${APACHE_LOG_DIR}/error.log
CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
SSLEngine on
SSLCertificateFile /etc/apache2/ubuntu.pem
SSLCertificateKeyFile /etc/apache2/ubuntu.key
SSLCACertificateFile /etc/apache2/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SSLVerifyClient require
Require ssl-verify-client
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html file will be downloaded:
# rm -f index.html
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
--cert client-auth.pem --key client-auth.key --tlsv1.2
% Total% Received % Xferd Average Speed TimeTime Time
Current
Dload Upload Total SpentLeft Speed
100 10918 100 109180 0706 0 0:00:15 0:00:15 --:--:-- 2579
# ll
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
fake CA
** Description changed:
[Impact]
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ * TLSv1.2
+ * client certificate authentication in use
+ * a Location, Directory, or other such block defining the client certificate
authentication for that block only, differing from the SSL vhost as a whole
- * An explanation of the effects of the bug on users and
+ This was triggered by the OpenSSL 1.1.1 SRU and was caused by this
+ openssl change in SSL_MODE_AUTO_RETRY from disabled to enabled by
+ default:
+
https://github.com/openssl/openssl/blob/a4a90a8a3bdcb9336b5c9c15da419e99a87bc6ed/CHANGES#L121-L130
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
[Test Case]
It helps if you have lxd up and running. Otherwise, a VM or even bare
metal host also works, as long as you stick to the "ubuntu" hostname.
Launch a container for the release you are testing. The command below is for
bionic:
$ lxc launch ubuntu-daily:bionic ubuntu
Enter the container as root:
$ lxc exec ubuntu bash
Verify hostname is "ubuntu":
# hostname
ubuntu
Install apache2:
apt update && apt install apache2
Download the following files from this bug report and place them in
/etc/apache2:
ubuntu.pem
ubuntu.key
cacert.pem
Download the client certificate and key files and place them in /root:
client-auth.key
client-auth.pem
Adjust permissions of the key file:
chmod 0640 /etc/apache2/ubuntu.key
chgrp www-data /etc/apache2/ubuntu.key
Create this vhost file (caution, lines may wrap, in particular LogFormat: it
should be one long line):
cat > /etc/apache2/sites-available/cert-auth-test.conf <
-
- LogLevel info ssl:warn
- ServerAdmin webmaster@localhost
- DocumentRoot /var/www/html
- LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
- ErrorLog \${APACHE_LOG_DIR}/error.log
- CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
- SSLEngine on
- SSLCertificateFile /etc/apache2/ubuntu.pem
- SSLCertificateKeyFile /etc/apache2/ubuntu.key
- SSLCACertificateFile /etc/apache2/cacert.pem
-
- SSLOptions +StdEnvVars
-
-
- SSLOptions +StdEnvVars
-
-
- SSLVerifyClient require
- Require ssl-verify-client
-
-
+
+ LogLevel info ssl:warn
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+ LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x"
combined-ssl
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+ CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl
+ SSLEngine on
+ SSLCertificateFile /etc/apache2/ubuntu.pem
+ SSLCertificateKeyFile /etc/apache2/ubuntu.key
+ SSLCACertificateFile /etc/apache2/cacert.pem
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLVerifyClient require
+ Require ssl-verify-client
+
+
EOF
Enable the ssl module and this new vhost we just created:
a2enmod ssl && a2ensite cert-auth-test.conf
Restart apache2:
systemctl restart apache2
If at this stage you try the following command, it will fail like this
because no client certificate was provided:
# curl --output /dev/null https://ubuntu/ --cacert /etc/apache2/cacert.pem
- % Total% Received % Xferd Average Speed TimeTime Time
Current
- Dload Upload Total SpentLeft Speed
- 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
+ % Total% Received % Xferd Average Speed TimeTime Time
Current
+ Dload Upload Total SpentLeft Speed
+ 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
And the apache error log will confirm the reason:
[Mon Jul 01 14:10:23.312645 2019] [ssl:error] [pid 1685:tid 140326396421888]
SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate -- No
CAs known to server for verification?
-
Now retry, but providing the client certificate and key files, and forcing
TLSv1.2 just to be sure. Due to the bug, the command will stall for about 15
seconds, but the index.html
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Description changed: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [Test Case] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + [Regression Potential] + + * discussion of how regressions are most likely to manifest as a result + of this change. + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + [Original Description] I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? - System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: - Installiert: 2.4.29-1ubuntu4.6 - Installationskandidat: 2.4.29-1ubuntu4.6 - Versionstabelle: - *** 2.4.29-1ubuntu4.6 500 - 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages - 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages - 100 /var/lib/dpkg/status - 2.4.29-1ubuntu4 500 - 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages + Installiert: 2.4.29-1ubuntu4.6 + Installationskandidat: 2.4.29-1ubuntu4.6 + Versionstabelle: + *** 2.4.29-1ubuntu4.6 500 + 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages + 100 /var/lib/dpkg/status + 2.4.29-1ubuntu4 500 + 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: - Installiert: 1.1.1-1ubuntu2.1~18.04.2 - Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 - Versionstabelle: - *** 1.1.1-1ubuntu2.1~18.04.2 500 - 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 1.1.0g-2ubuntu4.3 500 - 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages - 1.1.0g-2ubuntu4 500 - 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages + Installiert: 1.1.1-1ubuntu2.1~18.04.2 + Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 + Versionstabelle: + *** 1.1.1-1ubuntu2.1~18.04.2 500 + 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 1.1.0g-2ubuntu4.3 500 + 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages + 1.1.0g-2ubuntu4 500 + 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages ** Description changed: [Impact] - * An explanation of the effects of the bug on users and + * An explanation of the effects of the bug on users and - * justification for backporting the fix to the stable release. + * justification for backporting the fix to the stable release. - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + * In addition, it is helpful, but not required, to include an + explanation of how the upload fixes this bug. [Test Case] - * detailed instructions how to reproduce the bug + It helps if you have lxd up and running. Otherwise, a VM or even bare + metal host also works, as long as you stick to the "ubuntu" hostname. - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fixes -the problem. + Launch a container for the release you are testing. The command below is for bionic: + $ lxc launch ubuntu-daily:bionic ubuntu + + Enter the container as root: + $ lxc exec ubuntu bash + + Verify hostname is "ubuntu": + # hostname + ubuntu + +
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
@Andreas Hasenack: Many thanks - the patches from your PPA worked. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Incomplete Status in apache2 source package in Bionic: Confirmed Status in apache2 source package in Cosmic: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
@ahasenack: Yes, that ppa (in #19) also solved the problem mentinoned in my linked bugreport https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833896 A big "thank you" to you and all others who helped to solve this problem!! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Incomplete Status in apache2 source package in Bionic: Confirmed Status in apache2 source package in Cosmic: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
The PPA has cosmic and bionic packages. I tested with the prefork, worked and event MPMs, and also ran the apache DEP8 tests. All passed. I'll prepare MPs, update this bug with the SRU template and testing instructions, and get ready to release this early next week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Incomplete Status in apache2 source package in Bionic: Confirmed Status in apache2 source package in Cosmic: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Also affects: apache2 (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: apache2 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu) Status: Confirmed => Incomplete ** No longer affects: openssl (Ubuntu Bionic) ** No longer affects: openssl (Ubuntu Cosmic) ** Changed in: apache2 (Ubuntu Bionic) Status: New => Confirmed ** Changed in: apache2 (Ubuntu Cosmic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Incomplete Status in apache2 source package in Bionic: Confirmed Status in apache2 source package in Cosmic: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I think this patch worked: https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844 Could you please try the build from my ppa: https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5 "Moving "SSLVerifyClient require" outside of the block instantly returns the document. So it does appear to be ONLY the renegotiation case. " That works here too, in my simple test case. I had this location directive: SSLVerifyClient require Require ssl-verify-client By moving SSLVerifyClient to the vhost level, i.e., the whole site requires it, then re-negotiation isn't triggered and access works without a timeout. ** Bug watch added: bz.apache.org/bugzilla/ #62691 https://bz.apache.org/bugzilla/show_bug.cgi?id=62691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and the commit pointed out in comment #9 mentions TLSv1.3. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I can try some or all of the patches mentioned in https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2 That bug might be a duplicate, btw. (or this one) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Same thing. Another, or an additional, fix is needed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I can reproduce this with stock bionic (plus updates applied). ==> /var/log/apache2/error.log <== [Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240] [client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed It's a bit complicated to setup, as usual with SSL certificates, but doable. Let me try the ppa now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I've tried it and its not working for me. Do you need some log or something I can try? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Thanks for the reports and comments. I setup a PPA with patch pointed out by xnox in comment #7 on bionic's apache2 source package: https://launchpad.net/~legovini/+archive/ubuntu/apache2-lp1833039 It would be great to have some feedback on the effectiveness of the patch. Thank you! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
apt-get update && apt-get install -y --no-install-recommends --allow-downgrades \ libssl1.1=1.1.0g-2ubuntu4.3 openssl=1.1.0g-2ubuntu4.3 \ Temporary fix this issue particularly painful in production -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
@xnox: I think you are right with mod_ssl; I run apache2 2.4.39 (built from sources, the above mentioned mod_ssl-patch is probably included here?) on ubuntu 18.04 and was not aware I had to rebuild it after the ubuntu-update to OpenSSL 1.1.1; after the rebuild everything seems to be fine! Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
** Tags added: regression-update rls-bb-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
I think for this ticket we want: commit b5872f95b64177212b2e129dcae15d91c46abbc8 Author: Yann Ylavic Date: Fri Jun 15 11:12:19 2018 + mod_ssl: disable check for client initiated renegotiations with TLS 1.3. This is already forbidden by the protocol, enforced by OpenSSL, and the current logic can't work (ssl_callback_Info() may be called multiple times with TLS 1.3). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833588 13f79535-47bb-0310-9956-ff a450edef68 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
@ssp297 I believe this is different. renegotiation & client certs do not depend on each other, and can be used together or separately. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
@benjamin I believe disabling TLSv1.3 via openssl.cnf tweak would work too, without downgrading openssl. Ie. Using something like this https://launchpadlibrarian.net/428208982 /cap-to-tls1.2.patch (Probably without the CipherString line, which will raise security requirements higher than the default) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
see also https://bugs.launchpad.net/apache2/+bug/1833896 duplicate? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssl (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apache2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1833039 Title: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1 Status in apache2 package in Ubuntu: Confirmed Status in openssl package in Ubuntu: Confirmed Bug description: I am using Apache2 with client certificate authentication. Since recently (last week) and without any configuration changes, the following errors occur frequently: AH02042: rejecting client initiated renegotiation Client connections are very slow and sometimes it takes more than a minute until a weg page can be opened in the browser. Before installation of the latest security fixes last week, this error did not occur. Could it be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689? System information: Description:Ubuntu 18.04.2 LTS Release:18.04 apache2: Installiert: 2.4.29-1ubuntu4.6 Installationskandidat: 2.4.29-1ubuntu4.6 Versionstabelle: *** 2.4.29-1ubuntu4.6 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 2.4.29-1ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages openssl: Installiert: 1.1.1-1ubuntu2.1~18.04.2 Installationskandidat: 1.1.1-1ubuntu2.1~18.04.2 Versionstabelle: *** 1.1.1-1ubuntu2.1~18.04.2 500 500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.1.0g-2ubuntu4.3 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 1.1.0g-2ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
