Hi Marc, Thanks for the reply!
I have now done more extensive testing (incl. rebuilding apache2-2.4.29-1ubuntu4.12 from source). I now understand that for essentially all HTTPS clients, it is necessary to update SSL API calls to support TLSv1.3 post-handshake authentication. And I have also checked with a version of curl built right off the top of the github repo (7.70.0-DEV) - as an example of a client capable of post-handshake authentication. With this version of curl, both apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13 work over TLSv1.3 for both authenticated and unauthenticated API. But older clients (not capable of post-handshake authentication), including curl included with Ubuntu 18.04 (7.58.0) do not work with the authenticated API with neither apache2-2.4.29-1ubuntu4.12 and apache2-2.4.29-1ubuntu4.13. The only edge-case is my use case of unauthenticated API - that used to work with the older clients (not capable of post-handshake authentication) on apache2-2.4.29-1ubuntu4.12, but breaks with apache2-2.4.29-1ubuntu4.13 (for the older clients only). I'll add these findings to my upstream report. I agree the main point is updating all clients to support TLSv1.3 properly, including post-handshake authentication - the question is whether to let older clients get by when authentication is not required. Let's see what I get upstream. Cheers, Vlad -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865900 Title: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs