Public bug reported: The recent backport of TLSv1.3 code to Ubuntu 18.04's version of apache2 breaks wsgi scripts that use client certificate authentication because the REMOTE_USER environmental variable is not being set for a TLSv1.3 connection. I tracked down the cause and it is because this upstream patch has not been included: https://svn.apache.org/viewvc?view=revision&revision=1841218
Running Ubuntu 18.04.4 LTS The bug was introduced in apache2-2.4.29-1ubuntu4.12 The affected source file is : httpd-2.4.29/modules/ssl/ssl_engine_kernel.c What you expected to happen: When a wsgi script is called, using client certificate authentication, and a TLSv1.3 connection is negotiated, the environmental variable REMOTE_USER should be set to the client certificate's CN. (SSLUserName SSL_CLIENT_S_DN_CN is set in the apache config file) What happened instead: The REMOTE_USER environmental variable doesn't exist unless I restrict the connection to TLSv1.2. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apache2 2.4.29-1ubuntu4.12 ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18 Uname: Linux 4.15.0-88-generic x86_64 Apache2ConfdDirListing: False Apache2Modules: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message httpd (pid 19397) already running ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 Date: Thu Mar 12 23:09:34 2020 InstallationDate: Installed on 2020-03-04 (8 days ago) InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: apache2 UpgradeStatus: No upgrade log present (probably fresh install) error.log: [Thu Mar 12 06:25:02.361354 2020] [ssl:warn] [pid 19397] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name [Thu Mar 12 06:25:02.361788 2020] [mpm_prefork:notice] [pid 19397] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.7.1 Python/3.6 configured -- resuming normal operations [Thu Mar 12 06:25:02.361812 2020] [core:notice] [pid 19397] AH00094: Command line: '/usr/sbin/apache2' modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified] mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-03-12T23:11:20.058759 ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867223 Title: REMOTE_USER environmental variable not set for TLSv1.3 connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1867223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs