Your message dated Thu, 09 Jul 2020 18:32:24 +0000 with message-id <e1jtblm-000bgr...@fasolo.debian.org> and subject line Bug#950300: fixed in mod-gnutls 0.8.2-3+deb9u2 has caused the Debian Bug report #950300, regarding mod-gnutls: apache CVE-2019-10092 fix causes FTBFS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950300 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mod-gnutls Version: 0.8.2-3 Severity: serious Tags: ftbfs mod-gnutls appears to rely on the exact wording of apache error messages, and these changed with CVE-2019-10092. https://buildd.debian.org/status/package.php?p=mod-gnutls&suite=stretch https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mod-gnutls.html ... FAIL: test-18_client_verification_wrong_cert ============================================ TESTING: 18_client_verification_wrong_cert Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:11.674982 2020] [gnutls:debug] [pid 45519:tid 139910356628608] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 1.910177 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Processed 1 client X.509 certificates... Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Successfully sent 1 certificate(s) to server. - Server has requested a certificate. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 403 Forbidden Date: Mon, 27 Jan 2020 19:56:11 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 199 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 45530 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/18_client_verification_wrong_cert/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:11.809997988 -1200 @@ -1,7 +1,7 @@ +<html><head> +<title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> -<p>You don't have permission to access /test.txt -on this server.<br /> -</p> +<p>You don't have permission to access this resource.</p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 18_client_verification_wrong_cert [Mon Jan 27 07:56:11.869868 2020] [gnutls:debug] [pid 45630:tid 139891390706816] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:11.697229 2020] [mpm_worker:debug] [pid 45520:tid 139910356628608] worker.c(1758): AH00294: Accept mutex: sysvsem (default: sysvsem) [Mon Jan 27 07:56:11.697257 2020] [watchdog:debug] [pid 45523:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured? [Mon Jan 27 07:56:11.697509 2020] [watchdog:debug] [pid 45525:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured? [Mon Jan 27 07:56:11.710332 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1072): [client 127.0.0.1:43624] early_sni_hook: Selected virtual host localhost from early SNI, connection server is localhost. [Mon Jan 27 07:56:11.785399 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(535): [client 127.0.0.1:43624] mgs_filter_input: TLS connection opened. [Mon Jan 27 07:56:11.785673 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1652): [client 127.0.0.1:43624] GnuTLS: A Chain of 1 certificate(s) was provided for validation [Mon Jan 27 07:56:11.785899 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1694): [client 127.0.0.1:43624] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel' [Mon Jan 27 07:56:11.785946 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Could not find Signer for Peer Certificate [Mon Jan 27 07:56:11.785955 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Peer Certificate is invalid. [Mon Jan 27 07:56:11.786301 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(501): [client 127.0.0.1:43624] mgs_bye: TLS connection closed. FAIL test-18_client_verification_wrong_cert.bash (exit status: 1) FAIL: test-21_TLS_reverse_proxy_wrong_cert ========================================== TESTING: 21_TLS_reverse_proxy_wrong_cert Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:46.488371 2020] [gnutls:debug] [pid 49170:tid 139781586056320] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 34.445301 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:46.547662 2020] [gnutls:debug] [pid 49173:tid 140479489176704] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000008 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:46 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49287 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/21_TLS_reverse_proxy_wrong_cert/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:46.688791422 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 21_TLS_reverse_proxy_wrong_cert [Mon Jan 27 07:56:46.753779 2020] [gnutls:debug] [pid 49361:tid 139691557057664] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:46.822503 2020] [gnutls:debug] [pid 49369:tid 140406477767808] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:46.645053 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2578): [client 127.0.0.1:43688] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:46.645210 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:46.645288 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:46.665621 2020] [:warn] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The name in the certificate does not match the expected. [Mon Jan 27 07:56:46.665655 2020] [gnutls:info] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.' [Mon Jan 27 07:56:46.665812 2020] [proxy_http:error] [pid 49261:tid 140479387662080] (103)Software caused connection abort: [client 127.0.0.1:43688] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:46.665841 2020] [proxy_http:debug] [pid 49261:tid 140479387662080] mod_proxy_http.c(1351): [client 127.0.0.1:43688] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:46.665852 2020] [proxy:error] [pid 49261:tid 140479387662080] [client 127.0.0.1:43688] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:46.665859 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:46.666119 2020] [gnutls:debug] [pid 49261:tid 140479387662080] gnutls_io.c(501): [client 127.0.0.1:43688] mgs_bye: TLS connection closed. FAIL test-21_TLS_reverse_proxy_wrong_cert.bash (exit status: 1) FAIL: test-22_TLS_reverse_proxy_crl_revoke ========================================== TESTING: 22_TLS_reverse_proxy_crl_revoke Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:48.231239 2020] [gnutls:debug] [pid 49371:tid 140485312394368] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 34.604586 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:48.297053 2020] [gnutls:debug] [pid 49398:tid 140570227635328] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000011 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:48 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49469 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/22_TLS_reverse_proxy_crl_revoke/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:48.456730263 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 22_TLS_reverse_proxy_crl_revoke [Mon Jan 27 07:56:48.515754 2020] [gnutls:debug] [pid 49563:tid 140030353167488] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:48.584173 2020] [gnutls:debug] [pid 49571:tid 140202088002688] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:48.412814 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2578): [client 127.0.0.1:43692] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:48.412931 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:48.413000 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:48.435327 2020] [:warn] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The certificate chain is revoked. [Mon Jan 27 07:56:48.435348 2020] [gnutls:info] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.' [Mon Jan 27 07:56:48.435462 2020] [proxy_http:error] [pid 49466:tid 140570102060800] (103)Software caused connection abort: [client 127.0.0.1:43692] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:48.435503 2020] [proxy_http:debug] [pid 49466:tid 140570102060800] mod_proxy_http.c(1351): [client 127.0.0.1:43692] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:48.435513 2020] [proxy:error] [pid 49466:tid 140570102060800] [client 127.0.0.1:43692] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:48.435519 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:48.435726 2020] [gnutls:debug] [pid 49466:tid 140570102060800] gnutls_io.c(501): [client 127.0.0.1:43692] mgs_bye: TLS connection closed. FAIL test-22_TLS_reverse_proxy_crl_revoke.bash (exit status: 1) FAIL: test-23_TLS_reverse_proxy_mismatched_priorities ===================================================== TESTING: 23_TLS_reverse_proxy_mismatched_priorities Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:44.735239 2020] [gnutls:debug] [pid 48957:tid 140513797600384] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 29.468541 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:44.806930 2020] [gnutls:debug] [pid 48960:tid 140579053433984] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000011 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:44 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49064 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:44.936852027 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 23_TLS_reverse_proxy_mismatched_priorities [Mon Jan 27 07:56:44.997278 2020] [gnutls:debug] [pid 49148:tid 140644500755584] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:45.068445 2020] [gnutls:debug] [pid 49156:tid 140440329122944] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:44.909088 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2578): [client 127.0.0.1:43684] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:44.909229 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:44.909304 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:44.911004 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Alert (40) 'Handshake failed'. [Mon Jan 27 07:56:44.911023 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.' [Mon Jan 27 07:56:44.911150 2020] [proxy_http:error] [pid 49049:tid 140579019003648] (103)Software caused connection abort: [client 127.0.0.1:43684] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:44.911188 2020] [proxy_http:debug] [pid 49049:tid 140579019003648] mod_proxy_http.c(1351): [client 127.0.0.1:43684] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:44.911199 2020] [proxy:error] [pid 49049:tid 140579019003648] [client 127.0.0.1:43684] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:44.911207 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:44.911520 2020] [gnutls:debug] [pid 49049:tid 140579019003648] gnutls_io.c(501): [client 127.0.0.1:43684] mgs_bye: TLS connection closed. FAIL test-23_TLS_reverse_proxy_mismatched_priorities.bash (exit status: 1) ============================================================================ Testsuite summary for mod_gnutls 0.9.0 ============================================================================ # TOTAL: 35 # PASS: 31 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 0 ============================================================================ See test/test-suite.log ============================================================================ make[6]: *** [Makefile:1093: test-suite.log] Error 1
--- End Message ---
--- Begin Message ---Source: mod-gnutls Source-Version: 0.8.2-3+deb9u2 Done: Adrian Bunk <b...@debian.org> We believe that the bug you reported is fixed in the latest version of mod-gnutls, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <b...@debian.org> (supplier of updated mod-gnutls package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Jul 2020 00:29:59 +0300 Source: mod-gnutls Binary: libapache2-mod-gnutls Architecture: source Version: 0.8.2-3+deb9u2 Distribution: stretch Urgency: medium Maintainer: Daniel Kahn Gillmor <d...@fifthhorseman.net> Changed-By: Adrian Bunk <b...@debian.org> Description: libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS Closes: 950300 Changes: mod-gnutls (0.8.2-3+deb9u2) stretch; urgency=medium . * Non-maintainer upload. * Backported patches to fix test failures with the apache CVE-2019-10092 fix. (Closes: #950300) Checksums-Sha1: 8bcd46606621f7013f9bf1a334e98a5b132a2f7e 2374 mod-gnutls_0.8.2-3+deb9u2.dsc 5c25a9a9457e9b96f3e552cf7b9b890ee399875d 14840 mod-gnutls_0.8.2-3+deb9u2.debian.tar.xz Checksums-Sha256: a41269bd215edc1a91144e615d9c1db58e8e03c411c85b665880022f189c06dc 2374 mod-gnutls_0.8.2-3+deb9u2.dsc 06bc67327928db6e9bcc187f29899660f7eab1714ef171de5cd05c616081d248 14840 mod-gnutls_0.8.2-3+deb9u2.debian.tar.xz Files: 125100f04130b586fa74da3446916240 2374 httpd extra mod-gnutls_0.8.2-3+deb9u2.dsc dd5f5c57f7fe2879a3c80c33a2ceecf4 14840 httpd extra mod-gnutls_0.8.2-3+deb9u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8DmI8ACgkQiNJCh6LY mLHuJhAAsQVimP8SeNh9dL8aBDsWzYduocPiFY7Dq458GIH7BnjSPGkfx6GQiDvB THreLr7pg1uccQ7j+oLmxhkOW8gj9LVfEmEAh8ITxFlJXcAvUjxEdB9jGV1RTrCK zN0N+dhIctyyTL0T8GHmchU9CJR3ZTETQiBinP7zUDeN86GerQ08BAwOA5HdlmDA c4JKmnAPHoQisQsbq8ZmSVLcwf0BaFoIY6BkUPR5PYoWgfm79ZkgBc+lJoFTSp+G Avxo7pq6tWhk6tL/aS3iCft9DBp+By3ohaX/S57zbAU631RGYvY2vtoK2Bj+SeCO v0/CddTdQQ050gYaKukOxUuUFgS2/HRAa6sZcoOxAsTFvfc2nJwgoMQekHjRc11C hjWs1W5hLaD/TctQY2ElsRKxfL/yKpRtoAstCITiWoPBEAbOHgmkptKFkJvMmszO viZV7LKqrMqyQAD6gAXz+19+J1g48fiC2f/8a+l5Bdfhbzf25KJEQUlvnhMMa7hj sOs69Zle5u94jh/815dJ1O+0nG8GZjJYs1al1jDD98kb6yrSHgh971lBaf1W0n5+ gxZP1UDqlQc6bSYkj+t5vimEaMzYUR1KvziN/2qAzOYt2v1ooh0ZZ2pAAjzDk5o9 JN5QVjiRomB2RrJOYCaw5PeHxlQmd0YkRgDE2tjV+0fkBmXNGs0= =dAVe -----END PGP SIGNATURE-----
--- End Message ---
