Hi,
I'm afraid the fix released in 2.4.29-1ubuntu4.13 has introduced a
regression.
We have just updated our servers to 2.4.29-1ubuntu4.13 and configuration
that was working previously suddenly broke.
We are using
SSLVerifyClient optional
inside a Location element.
Our configuration has:
SSLCACertificateFile "/etc/ssl/certs/api-ca.crt"
<Location /api>
SSLVerifyClient optional
RequestHeader set X509_DN "%{SSL_CLIENT_S_DN}s"
</Location>
However, this breaks with:
[Wed Mar 25 16:08:02.648354 2020] [ssl:error] [pid 1801:tid 140236923303680]
[client 2404:138:46::126:47888] AH: verify client post handshake
[Wed Mar 25 16:08:02.648403 2020] [ssl:error] [pid 1801:tid 140236923303680]
[client 2404:138:46::126:47888] AH10158: cannot perform post-handshake
authentication
[Wed Mar 25 16:08:02.648420 2020] [ssl:error] [pid 1801:tid 140236923303680]
SSL Library Error: error:14268117:SSL
routines:SSL_verify_client_post_handshake:extension not received
Removing the SSLVerifyClient optional or disabling TLSv1.3 fixes it ...
but both would be deviating from our desired target configuration.
Hope this can be fixed.
Please let me know if you need any further info - or if this should be a
standalone bug report.
(So far, as this is a regression caused by the fix discussed here, I thought
best to post here.
Cheers,
Vlad
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865900
Title:
apache 2.4.29-1ubuntu4.12 authentication with client certificate
broken
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
