** Tags added: bionic-openssl-1.1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage
This change seems to cause a regression i have reported here:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.7
---
apache2 (2.4.29-1ubuntu4.7) bionic; urgency=medium
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-- Andreas Hasenack Fri, 28 Jun
This bug was fixed in the package apache2 - 2.4.34-1ubuntu2.2
---
apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium
* d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
authentication when built with openssl 1.1.1 (LP: #1833039)
-- Andreas Hasenack Fri, 28 Jun
Cosmic verification
Confirming the bug with the distro packages:
*** 2.4.34-1ubuntu2.1 500
500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64
Packages
index is downloaded, but after a long delay:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
Cosmic verification
Confirming the bug with the distro packages:
*** 2.4.34-1ubuntu2.1 500
500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64
Packages
index is downloaded, but after a long delay:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
bionic verification
Confirming the bug with the distro packages:
# apt-cache policy apache2
apache2:
Installed: 2.4.29-1ubuntu4.6
Candidate: 2.4.29-1ubuntu4.6
Version table:
*** 2.4.29-1ubuntu4.6 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
index
bionic verification
Confirming the bug with the distro packages:
# apt-cache policy apache2
apache2:
Installed: 2.4.29-1ubuntu4.6
Candidate: 2.4.29-1ubuntu4.6
Version table:
*** 2.4.29-1ubuntu4.6 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
index
** No longer affects: openssl (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage
apache2.2.4.29-1ubuntu4.7 also fixed the issue for us. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
I can confirm that the bug was fixed by installing the updated
2.4.29-1ubuntu4.7 package from bionic-proposed. Thank you all for your
help.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
The apache2 DEP8 tests are now clear across the board for bionic and
cosmic:
https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#apache2
https://people.canonical.com/~ubuntu-archive/proposed-
migration/cosmic/update_excuses.html#apache2
--
You received
The apache2 DEP8 tests are now clear across the board for bionic and
cosmic:
https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#apache2
https://people.canonical.com/~ubuntu-archive/proposed-
migration/cosmic/update_excuses.html#apache2
--
You received
There are dozens of cosmic tests still running
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage
There are dozens of cosmic tests still running
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
I'm checking.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage notifications about this bug go
I'm checking.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage notifications about
Hello Benjamin, or anyone else affected,
Accepted apache2 into cosmic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.34-1ubuntu2.2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
Packages uploaded to their respective -proposed queues, it's up to the
SRU team now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated
Packages uploaded to their respective -proposed queues, it's up to the
SRU team now.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client
I followed the test steps in the description and I can confirm the fix
works as expected. Thanks Andreas for making a complicated setup so easy
to test!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: apache2 (Ubuntu Cosmic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: apache2
** Changed in: apache2 (Ubuntu Cosmic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: apache2
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369541
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/369542
--
You received this bug notification because you are a
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
- Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ Under the following conditions, https connections using client cert
authentication will suffer a long
** Description changed:
[Impact]
- Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ Under the following conditions, https connections using client cert
authentication will suffer a long
client certificate
** Attachment added: "client-auth.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
client certificate
** Attachment added: "client-auth.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
fake CA
** Description changed:
[Impact]
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ * TLSv1.2
+ * client certificate authentication in use
+ * a Location, Directory, or other such
server certificate
** Attachment added: "ubuntu.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
client key
** Attachment added: "client-auth.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a
client key
** Attachment added: "client-auth.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a
fake CA
** Description changed:
[Impact]
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ * TLSv1.2
+ * client certificate authentication in use
+ * a Location, Directory, or other such
server key
** Attachment added: "ubuntu.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
server key
** Attachment added: "ubuntu.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
server certificate
** Attachment added: "ubuntu.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
@Andreas Hasenack:
Many thanks - the patches from your PPA worked.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to
@ahasenack:
Yes, that ppa (in #19) also solved the problem mentinoned in my linked
bugreport
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833896
A big "thank you" to you and all others who helped to solve this
problem!!
--
You received this bug notification because you are a
The PPA has cosmic and bionic packages. I tested with the prefork,
worked and event MPMs, and also ran the apache DEP8 tests. All passed.
I'll prepare MPs, update this bug with the SRU template and testing
instructions, and get ready to release this early next week.
--
You received this bug
The PPA has cosmic and bionic packages. I tested with the prefork,
worked and event MPMs, and also ran the apache DEP8 tests. All passed.
I'll prepare MPs, update this bug with the SRU template and testing
instructions, and get ready to release this early next week.
--
You received this bug
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Bionic)
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Bionic)
I think this patch worked:
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844
Could you please try the build from my ppa:
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039
--
You received this bug notification because you are a member of
I think this patch worked:
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844
Could you please try the build from my ppa:
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039
--
You received this bug notification because you are a member of
https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the block instantly
returns the document. So it does appear to be ONLY the renegotiation case.
"
That works here too, in my simple test case. I had this location directive:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the block instantly
returns the document. So it does appear to be ONLY the renegotiation case.
"
That works here too, in my simple test case. I had this location directive:
I can try some or all of the patches mentioned in
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2
That bug might be a duplicate, btw. (or this one)
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in
This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and
the commit pointed out in comment #9 mentions TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
I can try some or all of the patches mentioned in
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2
That bug might be a duplicate, btw. (or this one)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and
the commit pointed out in comment #9 mentions TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Same thing. Another, or an additional, fix is needed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To
Same thing. Another, or an additional, fix is needed.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to
I can reproduce this with stock bionic (plus updates applied).
==> /var/log/apache2/error.log <==
[Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240]
[client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed
It's a bit complicated to setup, as usual with SSL
I can reproduce this with stock bionic (plus updates applied).
==> /var/log/apache2/error.log <==
[Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240]
[client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed
It's a bit complicated to setup, as usual with SSL
I've tried it and its not working for me. Do you need some log or
something I can try?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated
Thanks for the reports and comments. I setup a PPA with patch pointed
out by xnox in comment #7 on bionic's apache2 source package:
https://launchpad.net/~legovini/+archive/ubuntu/apache2-lp1833039
It would be great to have some feedback on the effectiveness of the
patch. Thank you!
--
You
apt-get update && apt-get install -y --no-install-recommends --allow-downgrades
\
libssl1.1=1.1.0g-2ubuntu4.3 openssl=1.1.0g-2ubuntu4.3 \
Temporary fix this issue particularly painful in production
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
@xnox: I think you are right with mod_ssl; I run apache2 2.4.39 (built from
sources, the above mentioned mod_ssl-patch is probably included here?) on
ubuntu 18.04 and was not aware I had to rebuild it after the ubuntu-update to
OpenSSL 1.1.1; after the rebuild everything seems to be fine!
** Tags added: regression-update rls-bb-incoming
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To
I think for this ticket we want:
commit b5872f95b64177212b2e129dcae15d91c46abbc8
Author: Yann Ylavic
Date: Fri Jun 15 11:12:19 2018 +
mod_ssl: disable check for client initiated renegotiations with TLS 1.3.
This is already forbidden by the protocol, enforced by OpenSSL, and
@benjamin
I believe disabling TLSv1.3 via openssl.cnf tweak would work too,
without downgrading openssl.
Ie. Using something like this https://launchpadlibrarian.net/428208982
/cap-to-tls1.2.patch
(Probably without the CipherString line, which will raise security
requirements higher than the
@ssp297
I believe this is different. renegotiation & client certs do not depend
on each other, and can be used together or separately.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
see also
https://bugs.launchpad.net/apache2/+bug/1833896
duplicate?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apache2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openssl (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
73 matches
Mail list logo