** Description changed: Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST requests using certificate authentication. This was fixed in debian[1] via patches from upstream[2]. Test case: $ lxc launch ubuntu-daily:focal ubuntu Enter the container as root: $ lxc exec ubuntu bash Verify hostname is "ubuntu": # hostname ubuntu Install apache2: apt update && apt install apache2 Download the following files from this other bug report and place them in /etc/apache2: cd /etc/apache2 wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key These certs are luckily still valid until june 2020, so they can be used for this bug as well. Adjust permissions of the key file: chmod 0640 /etc/apache2/ubuntu.key chgrp www-data /etc/apache2/ubuntu.key Download the client certificate and key files and place them in /root: cd /root wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line): cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF <IfModule mod_ssl.c> <VirtualHost _default_:443> LogLevel info ssl:warn ServerAdmin webmaster@localhost DocumentRoot /var/www/html LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl ErrorLog \${APACHE_LOG_DIR}/error.log CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl SSLEngine on SSLCertificateFile /etc/apache2/ubuntu.pem SSLCertificateKeyFile /etc/apache2/ubuntu.key SSLCACertificateFile /etc/apache2/cacert.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> <Location /> SSLRenegBufferSize 1024 SSLVerifyClient require Require ssl-verify-client </Location> </VirtualHost> </IfModule> EOF Enable the ssl module and this new vhost we just created: a2enmod ssl && a2ensite cert-auth-test.conf Restart apache2: systemctl restart apache2 Verify that cert authentication is required: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --tlsv1.3 -f -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0 Verify that a GET request with the client certificate works: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 10918 100 10918 0 0 969k 0 --:--:-- --:--:-- --:--:-- 969k Verify that POST request with the client certificate fails: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 142 0 0 100 142 0 12909 --:--:-- --:--:-- --:--:-- 14200 curl: (22) The requested URL returned error: 403 Forbidden Server logs for the above: ==> /var/log/apache2/error.log <== [Mon Apr 13 14:49:03.357183 2020] [ssl:error] [pid 12248:tid 139782462109440] [client 10.0.100.38:41002] AH02263: Re-negotiation handshake failed: Client certificate missing ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:14:49:03 +0000] "POST / HTTP/1.1" 403 3798 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=- With the fixed packages, the POST request works: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 11060 100 10918 100 142 101k 1352 --:--:-- --:--:-- --:--:-- 102k And the server log confirms it was a POST request, using certificates, and TLSv1.3: ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:14:52:26 +0000] "POST / HTTP/1.1" 200 17118 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=client-auth To test the error message changed by tlsv13-add-logno.diff, submit a slightly bigger POST request: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" -F file=@/bin/ls % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 139k 0 0 100 139k 0 27.1M --:--:-- --:--:-- --:--:-- 27.1M curl: (22) The requested URL returned error: 413 Request Entity Too Large And in the server log: ==> /var/log/apache2/error.log <== [Mon Apr 13 15:00:37.446562 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH02018: request body exceeds maximum size (1024) for SSL buffer [Mon Apr 13 15:00:37.446620 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH10228: could not buffer message body to allow TLS Post-Handshake Authentication to proceed ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:15:00:37 +0000] "POST / HTTP/1.1" 413 3721 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=- + + + 1. https://bugs.debian.org/955348
** Description changed: Apache is lacking proper support for post-handhake-auth in TLSv1.3 POST requests using certificate authentication. - This was fixed in debian[1] via patches from upstream[2]. + This was fixed in debian[1] via patches from upstream[2]. There is an + upstream bug report[3] requesting the backport of these patches from + trunk. Test case: $ lxc launch ubuntu-daily:focal ubuntu Enter the container as root: $ lxc exec ubuntu bash Verify hostname is "ubuntu": # hostname ubuntu Install apache2: apt update && apt install apache2 Download the following files from this other bug report and place them in /etc/apache2: cd /etc/apache2 wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274492/+files/cacert.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key These certs are luckily still valid until june 2020, so they can be used for this bug as well. Adjust permissions of the key file: chmod 0640 /etc/apache2/ubuntu.key chgrp www-data /etc/apache2/ubuntu.key Download the client certificate and key files and place them in /root: cd /root wget https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key Create this vhost file (caution, lines may wrap, in particular LogFormat: it should be one long line): cat > /etc/apache2/sites-available/cert-auth-test.conf <<EOF <IfModule mod_ssl.c> <VirtualHost _default_:443> LogLevel info ssl:warn ServerAdmin webmaster@localhost DocumentRoot /var/www/html LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" protocol=%{SSL_PROTOCOL}x commonName=%{SSL_CLIENT_S_DN_CN}x" combined-ssl ErrorLog \${APACHE_LOG_DIR}/error.log CustomLog \${APACHE_LOG_DIR}/access.log combined-ssl SSLEngine on SSLCertificateFile /etc/apache2/ubuntu.pem SSLCertificateKeyFile /etc/apache2/ubuntu.key SSLCACertificateFile /etc/apache2/cacert.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> <Location /> SSLRenegBufferSize 1024 SSLVerifyClient require Require ssl-verify-client </Location> </VirtualHost> </IfModule> EOF Enable the ssl module and this new vhost we just created: a2enmod ssl && a2ensite cert-auth-test.conf Restart apache2: systemctl restart apache2 Verify that cert authentication is required: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --tlsv1.3 -f -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0 Verify that a GET request with the client certificate works: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 10918 100 10918 0 0 969k 0 --:--:-- --:--:-- --:--:-- 969k Verify that POST request with the client certificate fails: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 142 0 0 100 142 0 12909 --:--:-- --:--:-- --:--:-- 14200 curl: (22) The requested URL returned error: 403 Forbidden Server logs for the above: ==> /var/log/apache2/error.log <== [Mon Apr 13 14:49:03.357183 2020] [ssl:error] [pid 12248:tid 139782462109440] [client 10.0.100.38:41002] AH02263: Re-negotiation handshake failed: Client certificate missing ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:14:49:03 +0000] "POST / HTTP/1.1" 403 3798 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=- With the fixed packages, the POST request works: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -F bug=true -H "Expect:" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 11060 100 10918 100 142 101k 1352 --:--:-- --:--:-- --:--:-- 102k And the server log confirms it was a POST request, using certificates, and TLSv1.3: ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:14:52:26 +0000] "POST / HTTP/1.1" 200 17118 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=client-auth To test the error message changed by tlsv13-add-logno.diff, submit a slightly bigger POST request: root@ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.3 -f -H "Expect:" -F file=@/bin/ls % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 139k 0 0 100 139k 0 27.1M --:--:-- --:--:-- --:--:-- 27.1M curl: (22) The requested URL returned error: 413 Request Entity Too Large And in the server log: ==> /var/log/apache2/error.log <== [Mon Apr 13 15:00:37.446562 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH02018: request body exceeds maximum size (1024) for SSL buffer [Mon Apr 13 15:00:37.446620 2020] [ssl:error] [pid 13415:tid 140391466624768] [client 10.0.100.38:41272] AH10228: could not buffer message body to allow TLS Post-Handshake Authentication to proceed ==> /var/log/apache2/access.log <== 10.0.100.38 - - [13/Apr/2020:15:00:37 +0000] "POST / HTTP/1.1" 413 3721 "-" "curl/7.68.0" protocol=TLSv1.3 commonName=- - 1. https://bugs.debian.org/955348 + 2. https://svn.apache.org/viewvc?view=revision&revision=1870095 and https://svn.apache.org/viewvc?view=revision&revision=1870097 + 3. https://bz.apache.org/bugzilla/show_bug.cgi?id=64242 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1872478 Title: Support TLSv1.3 PHA in POST requests with cert authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1872478/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
