** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up 100% cpu, easy DoS
To
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.8
---
apache2 (2.4.29-1ubuntu4.8) bionic; urgency=medium
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch:
This bug was fixed in the package apache2 - 2.4.34-1ubuntu2.3
---
apache2 (2.4.34-1ubuntu2.3) cosmic; urgency=medium
* d/p/ssl-read-rc-value-openssl-1.1.1.patch: Handle SSL_read() return code 0
similarly to <0 with openssl 1.1.1
* d/p/clear-retry-flags-before-abort.patch:
Bionic-verification: done and fine
Using *** 2.4.29-1ubuntu4.8 100
100 /var/lib/dpkg/status
from bionic-proposed i can no longer reproduce any of the bad effects
(apache2 processes left with 100% cpu or left-over tcp connections).
Also we updated a single production machine to let it
Cosmic verification
First, reproducing the bug with:
*** 2.4.34-1ubuntu2.2 500
500 http://us.archive.ubuntu.com/ubuntu cosmic-updates/main amd64
Packages
Then I enabled the required modules, restarted apache, kept monitoring cpu
usage per process using top, and asked ssllabs for the
Cosmic verification
First, reproducing the bug with:
*** 2.4.34-1ubuntu2.2 500
500 http://us.archive.ubuntu.com/ubuntu cosmic-updates/main amd64
Packages
Then I enabled the required modules, restarted apache, kept monitoring cpu
usage per process using top, and asked ssllabs for the
Giraffe here,
I've just tested the following packages on our server:
ii apache2 2.4.29-1ubuntu4.8 amd64
Apache HTTP Server
ii apache2-bin 2.4.29-1ubuntu4.8 amd64
Apache HTTP Server
ii apache2-data
Hello Stefan, or anyone else affected,
Accepted apache2 into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.3 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Description changed:
[Impact]
With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
Downgrading to 2.4.29-1ubuntu4.6 make it not reproducible
** Description changed:
[Impact]
With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
Downgrading to 2.4.29-1ubuntu4.6 make it not reproducible
Uploaded to cosmic and bionic proposed queues, unapproved.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process
Uploaded to cosmic and bionic proposed queues, unapproved.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up
Because it is an SRU regression (apache2 2.4.34-1ubuntu2.2 introduced
the same change to cosmic that apache2 2.4.29-1ubuntu4.7 did for
bionic), I would accept a fix for cosmic for expedited SRU verification
despite the EOL being in 2 days time.
--
You received this bug notification because you
I suddenly realized cosmic is EOL. I'll let the sru team weigh in if
this fix can still be published for cosmic or not.
** Changed in: apache2 (Ubuntu Cosmic)
Status: New => In Progress
** Changed in: apache2 (Ubuntu Cosmic)
Importance: Undecided => Critical
** Changed in: apache2
I suddenly realized cosmic is EOL. I'll let the sru team weigh in if
this fix can still be published for cosmic or not.
** Changed in: apache2 (Ubuntu Cosmic)
Status: New => In Progress
** Changed in: apache2 (Ubuntu Cosmic)
Importance: Undecided => Critical
** Changed in: apache2
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/370222
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/370217
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running
** Description changed:
[Impact]
With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
Downgrading to 2.4.29-1ubuntu4.6 make it not reproducible
** Description changed:
[Impact]
With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
Downgrading to 2.4.29-1ubuntu4.6 make it not reproducible
** Description changed:
[Impact]
+ With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
- * An explanation of the effects of the bug on users and
-
** Description changed:
[Impact]
+ With latest apache 2.4.29-1ubuntu4.7 published to 18.04 LTS bionic, when
running ssllabs.com/ssltest against it to verify the configuration it leaves 2
apache processes using 100% indefinitely.
- * An explanation of the effects of the bug on users and
-
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
Only
https://github.com/apache/httpd/commit/7fa21ea6602b30cc43d4f485777545dd73bb25a6
is needed to fix this issue reported here, but I'll include
https://github.com/apache/httpd/commit/524608b65ec410e797a7283e6e142f8e5a74be26
as well since it's a change regarding openssl 1.1.1 that might bite us
in
Only
https://github.com/apache/httpd/commit/7fa21ea6602b30cc43d4f485777545dd73bb25a6
is needed to fix this issue reported here, but I'll include
https://github.com/apache/httpd/commit/524608b65ec410e797a7283e6e142f8e5a74be26
as well since it's a change regarding openssl 1.1.1 that might bite us
in
Thanks TJ, Stefan and Christian
I'm cleaning up the packaging, properly formatting the patches, and
doing a quick check if I really need both patches or just the last one I
added. I'll post updates here, and then prepare an SRU.
--
You received this bug notification because you are a member of
Thanks TJ, Stefan and Christian
I'm cleaning up the packaging, properly formatting the patches, and
doing a quick check if I really need both patches or just the last one I
added. I'll post updates here, and then prepare an SRU.
--
You received this bug notification because you are a member of
@ahasenack: Installing your 2.4.29-1ubuntu4.8~sslreadrc~ppa3 in copy of
the server where i initially discovered the issue make it not
reproducible anymore.
If you need more testing later as you indirectly said in #27 just let me
know i keep that testing instance around.
@paelzer: Sorry for not
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up
@ahasenack: 2.4.29-1ubuntu4.8~sslreadrc~ppa3 confirmed working without
processes spinning
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes
I applied
https://github.com/apache/httpd/commit/524608b65ec410e797a7283e6e142f8e5a74be26
and
https://github.com/apache/httpd/commit/7fa21ea6602b30cc43d4f485777545dd73bb25a6
and that seems to work. Will clean the packaging up with those patches,
check if perhaps only one is needed.
PPA with
I applied
https://github.com/apache/httpd/commit/524608b65ec410e797a7283e6e142f8e5a74be26
and
https://github.com/apache/httpd/commit/7fa21ea6602b30cc43d4f485777545dd73bb25a6
and that seems to work. Will clean the packaging up with those patches,
check if perhaps only one is needed.
PPA with
Actually, disco and eoan never had this bug, so the correct status for
those tasks is "invalid".
** Changed in: apache2 (Ubuntu Disco)
Status: Fix Released => Invalid
** Changed in: apache2 (Ubuntu Eoan)
Status: Fix Released => Invalid
--
You received this bug notification
Actually, disco and eoan never had this bug, so the correct status for
those tasks is "invalid".
** Changed in: apache2 (Ubuntu Disco)
Status: Fix Released => Invalid
** Changed in: apache2 (Ubuntu Eoan)
Status: Fix Released => Invalid
--
You received this bug notification
Disco is also clean, as expected.
** Also affects: apache2 (Ubuntu Disco)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu Disco)
Status: New => Fix Released
** Changed in: apache2 (Ubuntu Eoan)
Importance: Critical => Undecided
** Changed in: apache2
Disco is also clean, as expected.
** Also affects: apache2 (Ubuntu Disco)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu Disco)
Status: New => Fix Released
** Changed in: apache2 (Ubuntu Eoan)
Importance: Critical => Undecided
** Changed in: apache2
eoan is fine
** Also affects: apache2 (Ubuntu Eoan)
Importance: Critical
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu Bionic)
Status: New => In
Cosmic affected (2.4.34-1ubuntu2.2)
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Cosmic affected (2.4.34-1ubuntu2.2)
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression
eoan is fine
** Also affects: apache2 (Ubuntu Eoan)
Importance: Critical
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu Bionic)
Status: New => In
** Changed in: apache2 (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2
** Changed in: apache2 (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process
I downgraded to 2.4.29-1ubuntu4.6 and confirm the issue not showing up there.
I upgraded to 2.4.29-1ubuntu4.7 and can trigger it again.
You can up/downgrade with:
$ sudo dpkg -i ~/apachedebs/2.4.29-1ubuntu4.7/*
$ sudo dpkg -i ~/apachedebs/2.4.29-1ubuntu4.6/*
The test is at:
Disable:
#HSTS Header
Header always set Strict-Transport-Security: "max-age=63072000;
includeSubDomains; preload"
=> Still triggering ...
Disable:
#Enable http2
Protocols h2 http/1.1
# AND
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
I tried my local tools and testssh also tests renegotiation but doesn't trigger
this :-/
sslyze also has:
* Session Renegotiation:
Client-initiated Renegotiation:OK - Rejected
Secure Renegotiation: OK - Supported
$ openssl s_client -connect dusma.de:443
...
Tried 2 more times with this config we are now at 3/3 hits.
Seems reproducible enough?
Difference in ssllabs output:
HTTP Strict Transport Security (HSTS) with long duration deployed on this
server.
Which is green but downgrades the protocol result by 5%
Anyway, this is one of the changes
OK, DNS propagation has happened.
Scanning with ssllabs test:
- 2.4.29-1ubuntu4.6 (all ok)
- 2.4.29-1ubuntu4.7 (ok as well)
I see worker threads start while the test is running, like 32 or so.
But never does the cpu consumption peak to anything high.
Nor do processes hang around in CLOSED_WAIT
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3555
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3389
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4929
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0169
**
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3555
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3389
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4929
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0169
**
I have set up what I described in comment #2 in a openstack instance that has a
public IP.
That already was a crap of setup work, but now I realized that I also need dns
to be able to use ssllabs check :-/
I have had some free DNS entries to configure and for now have set one
of my domains to
If you need more info about the system the server runs on I'll be happy
to share them privately, if so, please let me know.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression
I dropped my former ssl-params.conf and added from you for the mod config:
+ SSLHonorCipherOrder on
+ SSLCipherSuite
** Attachment added: "/sites-enabled/000-default-ssl.conf"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329/+attachment/5277069/+files/000-default-ssl.conf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "mods-enabled/ssl.conf"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329/+attachment/5277068/+files/ssl.conf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Tags added: regression-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up 100% cpu, easy DoS
To
If non confidential attaching it here would be best, so I can try with exactly
your settings.
If confidential still the best would be to replace the few critical parts with
like and then attach it here.
Only if all of the above is not feasible mailing it would be the fallback
(which would
@Christian,
I'll see what i can do, happy to help out.
Would it help if i e-mail you our "/etc/apache2/mods-enabled/ssl.conf"
config and a copy of "ssl.conf"?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
#1, #2 and #3 gave me nothing in terms of "load" on the target apache server
after the actual run.
I had the expected worker threads around but those were idling.
I had no connections in CLOSE_WAIT state nor showing up as reading in
the server status module.
@Stefan - we have two obvious paths
@Giraffe - glad for this extra confirmation, it would be great if you
could help as well to trim down the test to something more easily
reproducible.
Since we have more affected people I'll raise severity and set the regression
tag.
If only the initial bug fixed wouldn't be severe as well I'd
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apache2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Can confirm this bugs, affects our server as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up 100% cpu,
#2 sslyze [4]
$ apt install python-pip
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular 10.253.194.151:443
AVAILABLE PLUGINS
-
OpenSslCcsInjectionPlugin
CompressionPlugin
HeartbleedPlugin
OpenSslCipherSuitesPlugin
#3 testssl [5]
$ wget https://github.com/drwetter/testssl.sh/archive/3.0rc5.tar.gz
$ tar xf 3.0rc5.tar.gz
$ cd testssl.sh-3.0rc5/
$ ./testssl.sh 10.253.194.151:443
###
testssl.sh 3.0rc5 from https://testssl.sh/dev/
This
Since ssllabs [1] is only for exposed hosts I checked their list of other tools
[2].
>From there I picked the offline tools that seemed usable locally [3][4][5]
[1]: https://www.ssllabs.com/ssltest/index.html
[2]: https://github.com/ssllabs/research/wiki/Assessment-Tools
[3]:
#1 cipherscan [3]
./cipherscan 10.253.194.151:443 -servername 10.253.194.151
..
Target: 10.253.194.151:443
Certificate: untrusted, bits, signature
TLS ticket lifetime hint:
NPN protocols:
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Renegotiation
I followed [1] to do some checks against the version reported to be bad.
The easiest copy and paste setup would be:
$ apt install apache2
$ IP=$(hostname -i | cut -d' ' -f 2)
$ sed -i -e "/ServerAdmin/a ServerName $IP" -e
's/ssl-cert-snakeoil.pem/apache-selfsigned.crt/' -e
Andreas said (on the other bug) he wants to look into this today -
assigning him and set prio to high according to the discussion so far.
@Stefan - since https://www.ssllabs.com/ssltest/index.html is external
have you found anything else, maybe something reproducible locally
without needing to
67 matches
Mail list logo
