You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/09/06 11:59:40 UTC
[Bug 65554] New: http to https redirect doesn't work when only
TLSv1.2 is specified
https://bz.apache.org/bugzilla/show_bug.cgi?id=65554
Bug ID: 65554
Summary: http to https redirect doesn't work when only TLSv1.2
is specified
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: tropikhajma@gmail.com
Target Milestone: ---
I use
ErrorDocument 400 "https://myserver:215"
to achieve redirection to secure connection for anyone who would access my
server with just 'http://myserver:215'. (the port number is arbitrary, bears no
meaning)
This works as long as there's
SSLProtocol TLSv1.1 +TLSv1.2
specified in the configuration. However when I change that to just
SSLProtocol TLSv1.2
it stops working and the client gets "The connection was reset
The connection to the server was reset while the page was loading."
in their browser (I use Firefox).
I guess this is because Apache calls different OpenSSL functions based on
the config setting at
httpd/modules/ssl/ssl_engine_init.c
Line 643 in 2f0f0d4
TLSv1_2_server_method(); /* server */
or
httpd/modules/ssl/ssl_engine_init.c
Line 649 in 2f0f0d4
TLSv1_3_server_method(); /* server */
The OpenSSL 1.0 manpage
(https://docs.oracle.com/cd/E88353_01/html/E37845/ssl-ctx-new-3openssl.html)
says the general purpose SSLv23_method(), SSLv23_server_method(),
SSLv23_client_method() should be used by most applications and to avoid the
version specific methods (TLSv1_2_method(), TLSv1_2_server_method(),
TLSv1_2_client_method(), ...).
This gets complicated with OpenSSL 1.1/3.0
(https://www.openssl.org/docs/manmaster/man3/TLSv1_2_client_method.html) where
the functions are renamed to TLS_method(), ..., but there the problem doesn't
exist. I've tried to rebuild Apache with OpenSSL 3.0 beta1 and the redirect
works there just fine. It looks like this part has been unified for all
protocols there.
Replacing the TLSv1_2 function calls with the generic ones in this pull request
works for me, but I am not well versed in Apache or OpenSSL inner workings to
guarantee there's no side effect.
This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0.2y
This has been discussed at the user mailing list at
https://mail-archives.apache.org/mod_mbox/httpd-users/202106.mbox/%3CCAMeYnzEhcvEYGy-QpAn52nmWpB3azcNd%2BuEgQrZeWfYLWrDQYg%40mail.gmail.com%3E
My simplified config is below:
ServerRoot "/usr/apache2/2.4"
Listen 215
LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so LoadModule
mpm_worker_module libexec/mod_mpm_worker.so LoadModule mpm_event_module
libexec/mod_mpm_event.so
LoadModule ssl_module libexec/mod_ssl.so
LoadModule authz_core_module libexec/mod_authz_core.so
LoadModule unixd_module libexec/mod_unixd.so
User webservd Group webservd
ServerName 127.0.0.1
AllowOverride none Require all denied
DocumentRoot "/var/apache2/2.4/htdocs"
<Directory "/var/apache2/2.4/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
<Files ".ht*">
Require all denied
ErrorLog "/var/apache2/2.4/logs/error_log"
LogLevel warn
<Directory "/var/apache2/2.4/cgi-bin">
AllowOverride None
Options None
Require all granted
SSLRandomSeed startup builtin SSLRandomSeed connect builtin
SSLEngine on
SSLProtocol TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/certs/localhost/host.crt
SSLCertificateKeyFile /etc/certs/localhost/host.key
SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
ErrorDocument 400 "https://myserver:215"
I've created a pull request at
https://github.com/apache/httpd/pull/206
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org