Cosmic verification
Confirming the bug with the distro packages:
*** 2.4.34-1ubuntu2.1 500
500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64
Packages
index is downloaded, but after a long delay:
# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem
bionic verification
Confirming the bug with the distro packages:
# apt-cache policy apache2
apache2:
Installed: 2.4.29-1ubuntu4.6
Candidate: 2.4.29-1ubuntu4.6
Version table:
*** 2.4.29-1ubuntu4.6 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
index
The apache2 DEP8 tests are now clear across the board for bionic and
cosmic:
https://people.canonical.com/~ubuntu-archive/proposed-
migration/bionic/update_excuses.html#apache2
https://people.canonical.com/~ubuntu-archive/proposed-
migration/cosmic/update_excuses.html#apache2
--
You received
There are dozens of cosmic tests still running
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
I'm checking.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to openssl
1.1.1
To manage notifications about
Packages uploaded to their respective -proposed queues, it's up to the
SRU team now.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client
** Changed in: apache2 (Ubuntu Cosmic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: apache2 (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: apache2
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a long delay (about 15s if modreqtimeout is enabled,
more if it is disabled):
* TLSv1.2
* client certificate authentication in use
* a Location, Directory,
** Description changed:
[Impact]
- Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ Under the following conditions, https connections using client cert
authentication will suffer a long
client certificate
** Attachment added: "client-auth.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274495/+files/client-auth.pem
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
client key
** Attachment added: "client-auth.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274496/+files/client-auth.key
** Description changed:
[Impact]
Under the following conditions, https connections using client cert
authentication will suffer a
fake CA
** Description changed:
[Impact]
+ Under the following conditions, https connections using client cert
authentication will suffer a long delay (15s or more if modreqtimeout is
disabled):
+ * TLSv1.2
+ * client certificate authentication in use
+ * a Location, Directory, or other such
server key
** Attachment added: "ubuntu.key"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274494/+files/ubuntu.key
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
server certificate
** Attachment added: "ubuntu.pem"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+attachment/5274493/+files/ubuntu.pem
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test
The PPA has cosmic and bionic packages. I tested with the prefork,
worked and event MPMs, and also ran the apache DEP8 tests. All passed.
I'll prepare MPs, update this bug with the SRU template and testing
instructions, and get ready to release this early next week.
--
You received this bug
** Also affects: apache2 (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: apache2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Bionic)
I think this patch worked:
https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844
Could you please try the build from my ppa:
https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039
--
You received this bug notification because you are a member of
https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the block instantly
returns the document. So it does appear to be ONLY the renegotiation case.
"
That works here too, in my simple test case. I had this location directive:
I can try some or all of the patches mentioned in
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1803689/comments/2
That bug might be a duplicate, btw. (or this one)
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in
This is confusing, I'm seeing the timeout with a TLSv1.2 connection, and
the commit pointed out in comment #9 mentions TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Same thing. Another, or an additional, fix is needed.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039
Title:
18.04/Apache2: rejecting client initiated renegotiation due to
I can reproduce this with stock bionic (plus updates applied).
==> /var/log/apache2/error.log <==
[Thu Jun 27 19:37:43.049064 2019] [ssl:error] [pid 3084:tid 140343919978240]
[client 10.0.100.1:45036] AH02261: Re-negotiation handshake failed
It's a bit complicated to setup, as usual with SSL
Possibly related, yes, specially now that openssl 1.1.1 arrived. If you
downgrade to 1.1.0g from bionic-security, does the problem still happen?
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
26 matches
Mail list logo
