** No longer affects: apache2 (Ubuntu) ** No longer affects: apache2 (Ubuntu Bionic)
** No longer affects: apache2 (Ubuntu Disco) ** No longer affects: apache2 (Ubuntu Eoan) ** No longer affects: chromium (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1834671 Title: TLSv1.3 client certificate authentication with renegotiation unsupported in browsers Status in firefox package in Ubuntu: Fix Released Status in firefox source package in Bionic: Fix Released Status in firefox source package in Disco: Fix Released Status in firefox source package in Eoan: Fix Released Bug description: This is mostly a place holder bug, as more information becomes available. What is known so far is that a certain configuration of client certificate authentication using TLSv1.3 is not working with most (all at this point?) browsers, resulting in the server returning this error message: Forbidden You don't have permission to access / on this server. Reason: Cannot perform Post-Handshake Authentication. Apache/2.4.38 (Ubuntu) Server at disco-apache-client-cert.lxd Port 443 It also logs it to error.log: [Fri Jun 28 16:59:24.596425 2019] [ssl:error] [pid 1391:tid 139642783385344] [client 10.0.100.1:41452] AH10129: verify client post handshake [Fri Jun 28 16:59:24.596493 2019] [ssl:error] [pid 1391:tid 139642783385344] [client 10.0.100.1:41452] AH10158: cannot perform post-handshake authentication [Fri Jun 28 16:59:24.596513 2019] [ssl:error] [pid 1391:tid 139642783385344] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received These are upstream bugs about it: Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1511989 Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=911653 Apache2 (invalid): https://bz.apache.org/bugzilla/show_bug.cgi?id=62975 One server workaround is to disable TLSv1.3. Something like this: SSLProtocol all -SSLv3 -TLSv1.3 ("-TLSv1.3" is what was added to that default config) Sample server config to show the problem (minus the SSL certificate parameters): <Location /> SSLVerifyClient require Require ssl-verify-client </Location> Another workaround is to move the SSLVerifyClient config to the vhost level. It it applied to the whole vhost, and there are no exceptions in specific blocks, then a re-negotiation isn't triggered and the problem doesn't happen. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1834671/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
