I came by this bug and tried to update the states to better reflect the
situation.
We still have the case that for Focal there was a regression due to
updates. But also the problem that it is hard to see if we want to
revert (no as it was security improvements) or how we could fix (is it
actually
** Changed in: apache2 (Ubuntu Jammy)
Status: In Progress => Fix Released
** Changed in: python-urllib3 (Ubuntu Jammy)
Status: Confirmed => Fix Released
** Changed in: requests (Ubuntu Jammy)
Status: Confirmed => Fix Released
** Changed in: apache2 (Ubuntu Focal)
** Also affects: apache2 (Ubuntu Jammy)
Importance: Undecided
Assignee: Marc Deslauriers (mdeslaur)
Status: In Progress
** Also affects: requests (Ubuntu Jammy)
Importance: Undecided
Status: Confirmed
** Also affects: python-urllib3 (Ubuntu Jammy)
Importance:
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications
** Tags removed: rls-ii-incoming
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications
** Tags added: rls-ii-incoming
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications about
Focal's curl 7.68.0-1ubuntu2.6 now supports post-handshake client
authentication.
curl \
--tls-max 1.2 \
--cacert ~/.koji/pki/koji-ca.crt \
--cert ~/koji-ansible/koji-tools/admin.crt \
--key ~/koji-ansible/koji-tools/admin.key \
https://localhost/kojihub/ssllogin
However,
** Tags removed: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications about
Hi Marc,
Thanks for the reply!
I have now done more extensive testing (incl. rebuilding
apache2-2.4.29-1ubuntu4.12 from source).
I now understand that for essentially all HTTPS clients,
it is necessary to update SSL API calls to support TLSv1.3
post-handshake authentication.
And I have also
I understand your reasoning, but as I understand the issue, with TLSv1.2
renegotiation was used to see if the client can provide a certificate or
not, but TLSv1.3 doesn't support renegotiation, so post-handshake
authentication must be used.
Thanks for opening the upstream bug, let's see what they
Hi Marc,
Thanks for getting back to me.
I've been testing this with `wget` and `curl`. And it worked before
2.4.29-1ubuntu4.13 (with 2.4.29-1ubuntu4.12), even with TLSv1.3.
Note that this particular use case, I actually don't need (or want) the
clients to authenticate.
I just want the server
@vladimir-mencl: what you are seeing is actually this bug:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1834671
Basically, with TLSv1.3 you need a client that supports post-handshake
authentication.
Some clients, such as Firefox for example, support it but it needs to be
enabled, as
Thanks for reporting the regression. What client are you using to access
the web server?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with
FYI, I have just checked upstream's code-base and submitted this as a
bug to upstream:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64263
** Bug watch added: bz.apache.org/bugzilla/ #64263
https://bz.apache.org/bugzilla/show_bug.cgi?id=64263
--
You received this bug notification because
Hi,
Just clarifying on the previous comment. From the release notes I've seen in
the bionic package, I understand this fix does:
> - debian/patches/tlsv1.3-support-3.patch: fail with 403 if
> SSL_verify_client_post_handshake fails in
> modules/ssl/ssl_engine_kernel.c.
However,
Hi,
I'm afraid the fix released in 2.4.29-1ubuntu4.13 has introduced a
regression.
We have just updated our servers to 2.4.29-1ubuntu4.13 and configuration
that was working previously suddenly broke.
We are using
SSLVerifyClient optional
inside a Location element.
Our configuration has:
Thanks for the test. That does in fact look like the Apache side of
things is now fixed as you are getting the appropriate error message
when the client support is missing, which wasn't happening before.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Hello,
tested. Issue was not solved, but got relevant error message: "You don't
have permission to access this resource.Reason: Cannot perform
Post-Handshake Authentication."
ii apache2 2.4.29-1ubuntu4.13
amd64Apache HTTP Server
ii
Lets sort out apache first for now, but related to this (might
eventually be split into a different bug) the clients in Bionic need to
be PHA compatible as more and mroe of the world will grow TLS v1.3.
I added tasks for src:python-urllib3 and src:requests to remind us to
think about those
** Also affects: requests (Ubuntu)
Importance: Undecided
Status: New
** Changed in: requests (Ubuntu)
Status: New => Confirmed
** Also affects: python-urllib3 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: python-urllib3 (Ubuntu)
Status: New =>
** Also affects: ubuntu-release-notes
Importance: Undecided
Status: New
** Changed in: ubuntu-release-notes
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
** Also affects: ubuntu-release-notes
Importance: Undecided
Status: New
** Changed in: ubuntu-release-notes
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
It is quite likely that the changes fixes some, but not all of the cases
so having more than one feedback for Marc's call for testing in comment
#21 would be great.
** Changed in: apache2 (Ubuntu)
Status: New => In Progress
** Changed in: apache2 (Ubuntu)
Assignee: (unassigned) =>
I have uploaded an apache2 package to the security team PPA for testing
here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
It includes a few fixes related to TLSv1.3.
Could environment having this issue please test that package and see if
it solves the issue?
Thanks!
--
FYI there is a similar bug 1867223 which has a patch suggested at least
for some cases of this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication
I think we have enough information on this report now; all that remains
is some difficult decision making on what, if anything, we can do about
it. Depending on the answer, we might need to assign this bug to a
different package, etc.
** Changed in: apache2 (Ubuntu)
Status: Incomplete =>
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications about this
> With Bionic's apache 2.4.29-1ubuntu4.12:
>
>"SSLProtocol TLSv1.3 TLSv1.2" - works
Tried with Firefox 73.0.1 - works, but connection is established using TLS1.2
protocol
when "SSLProtocol TLSv1.3 TLSv1.2 TLSv1.1" is specified, then TLS1.1 is used.
--
You received this bug notification because
I guess depends where you change it. If you do it on a specific location
or directory, it's my understanding that this is what triggers PHA.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
I guess depends where you change it. If you do it on a specific location
or directory, it's my understanding that this is what triggers PHA.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
"SSLProtocol all -SSLv3" is in the default /etc/apache2/mods-
enabled/ssl.conf. Why does the behavior change when I set "SSLProtocol
TLSv1.3 TLSv1.2"?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
There also seems to be https://bugs.python.org/issue37440
In any case, I think this bug is not about apache, other than it's a
change introduced there that made tls v1.3 available for clients to use.
The clients need to be updated now.
** Bug watch added: Python Roundup #37440
There also seems to be https://bugs.python.org/issue37440
In any case, I think this bug is not about apache, other than it's a
change introduced there that made tls v1.3 available for clients to use.
The clients need to be updated now.
** Bug watch added: Python Roundup #37440
Firefox in bionic added an option to handle PHA, but it's disabled by
default because it conflicts with http2.
I'm not aware if there's an equivalent "fix" for python-requests.
** Bug watch added: github.com/urllib3/urllib3/issues #1634
https://github.com/urllib3/urllib3/issues/1634
--
You
Perhaps this: https://github.com/urllib3/urllib3/issues/1634
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications
With Bionic's apache 2.4.29-1ubuntu4.12:
"SSLProtocol TLSv1.3 TLSv1.2" - works
"SSLProtocol TLSv1.3 +TLSv1.2" - does not work
"SSLProtocol all -SSLv3" - does not work
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
>From https://bugzilla.redhat.com/show_bug.cgi?id=1761403:
"The fix is available in urllib3 1.25.4. The fix requires Python 3.7.4 or newer
with fix https://bugs.python.org/issue37428 ."
I upgraded urllib3 and requests to the Disco versions:
Unpacking python3-urllib3 (1.24.1-1ubuntu0.1) over
Most clients don't support post handshake authentication, hence can't
use client side certificates with TLSv1.3.
In environments where client side certificates are used, TLSv1.3 has to
be disabled in the Apache configuration until browsers and other clients
support post handshake authentication.
> I can confirm this as well. I have a CI job that uses python-requests to
> contact
> Apache with SSL x590 client authentication. This job passed with
> apache 2.4.29-1ubuntu4.11 and it fails with apache 2.4.29-1ubuntu4.12.
Is this a case where python or python-requests could be updated to
> I can confirm this as well. I have a CI job that uses python-requests to
> contact
> Apache with SSL x590 client authentication. This job passed with
> apache 2.4.29-1ubuntu4.11 and it fails with apache 2.4.29-1ubuntu4.12.
Is this a case where python or python-requests could be updated to
Bug #1834671 also has this possible workaround:
"""
Another workaround is to move the SSLVerifyClient config to the vhost level. It
it applied to the whole vhost, and there are no exceptions in specific blocks,
then a re-negotiation isn't triggered and the problem doesn't happen.
"""
i.e., it's
Bug #1834671 also has this possible workaround:
"""
Another workaround is to move the SSLVerifyClient config to the vhost level. It
it applied to the whole vhost, and there are no exceptions in specific blocks,
then a re-negotiation isn't triggered and the problem doesn't happen.
"""
i.e., it's
apport information
** Tags added: apport-collected bionic
** Description changed:
Ubuntu 18.04.4 LTS, after update from apache 2.4.29-1ubuntu4.11 to
apache 2.4.29-1ubuntu4.12 authentication with client certificate stopped
working. No certificate is requested from client browser and apahce
I can confirm this as well. I have a CI job that uses python-requests to
contact Apache with SSL x590 client authentication. This job passed with
apache 2.4.29-1ubuntu4.11 and it fails with apache 2.4.29-1ubuntu4.12.
Passing: https://travis-ci.org/ktdreyer/koji-ansible/builds/655568368
Failing:
Hi Riho,
Thank you for taking the time to report this bug. I've mentioned this on bug
LP: #1845263 as a possible regression related to the
2.4.29-1ubuntu4.12 update that backported the TLSv1.3 support to bionic.
That update indicated some expectation that certain environments might be
This is likely a dupe of bug 1834671...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage
47 matches
Mail list logo