Hi, I'm afraid the fix released in 2.4.29-1ubuntu4.13 has introduced a regression.
We have just updated our servers to 2.4.29-1ubuntu4.13 and configuration that was working previously suddenly broke. We are using SSLVerifyClient optional inside a Location element. Our configuration has: SSLCACertificateFile "/etc/ssl/certs/api-ca.crt" <Location /api> SSLVerifyClient optional RequestHeader set X509_DN "%{SSL_CLIENT_S_DN}s" </Location> However, this breaks with: [Wed Mar 25 16:08:02.648354 2020] [ssl:error] [pid 1801:tid 140236923303680] [client 2404:138:46::126:47888] AH: verify client post handshake [Wed Mar 25 16:08:02.648403 2020] [ssl:error] [pid 1801:tid 140236923303680] [client 2404:138:46::126:47888] AH10158: cannot perform post-handshake authentication [Wed Mar 25 16:08:02.648420 2020] [ssl:error] [pid 1801:tid 140236923303680] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received Removing the SSLVerifyClient optional or disabling TLSv1.3 fixes it ... but both would be deviating from our desired target configuration. Hope this can be fixed. Please let me know if you need any further info - or if this should be a standalone bug report. (So far, as this is a regression caused by the fix discussed here, I thought best to post here. Cheers, Vlad -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865900 Title: apache 2.4.29-1ubuntu4.12 authentication with client certificate broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1865900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs