You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/12/03 17:53:39 UTC
[Bug 62975] New: TLS 1.3: cannot perform post-handshake
authentication
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
Bug ID: 62975
Summary: TLS 1.3: cannot perform post-handshake authentication
Product: Apache httpd-2
Version: 2.4.37
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: candrews@integralblue.com
Target Milestone: ---
When using OpenSSL 1.1.1 with Apache 2.4.37, client authentication files with
these messages logged:
[Tue Nov 20 13:20:57.718509 2018] [ssl:error] [pid 8117] [client x.x.x.x:35692]
AH: verify client post handshake
[Tue Nov 20 13:20:57.718565 2018] [ssl:error] [pid 8117] [client x.x.x.x:35692]
AH10158: cannot perform post-handshake authentication
[Tue Nov 20 13:20:57.718591 2018] [ssl:error] [pid 8117] SSL Library Error:
error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not
received
This problem does not occur if:
* OpenSSL 1.0.x is used
* If TLS 1.3 is explicitly disabled using the "SSLProtocol TLSv1.2" directive
* If "SSLVerifyClient require" is moved out of a Location/Directory block and
is directly in a VirtualHost section
Here's the vhost configuration I'm using:
SSLCACertificateFile /etc/ssl/DoD_CAs.pem
SSLOCSPEnable on
<Directory /var/www/localhost/htdocs/cac>
SSLOptions +StrictRequire
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth
</Directory>
The browser used is Firefox 63.0.3.
This issue was also reported at:
* https://bugzilla.redhat.com/show_bug.cgi?id=1651623
*
https://stackoverflow.com/questions/53062504/apache-2-4-37-with-openssl-1-1-1-cannot-perform-post-handshake-authentication
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
--- Comment #3 from Craig <ca...@integralblue.com> ---
(In reply to Jens Lauterbach from comment #2)
> (In reply to Joe Orton from comment #1)
> > Not sure how what I said in the Fedora bug was unclear -- this is a bug in
> > Firefox, it needs to support TLSv1.3 Post-Handshake Authentication. There
> > isn't a mod_ssl problem here, mod_ssl is reporting that Firefox doesn't
> > support PHA.
>
> The same problem is also visible with Chrome in Android and Linux
> Environment.
Reported to Chrome/Chromium at
https://bugs.chromium.org/p/chromium/issues/detail?id=911653
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tlhackque@yahoo.com
--- Comment #4 from Joe Orton <jo...@redhat.com> ---
*** Bug 63368 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
Craig <ca...@integralblue.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |candrews@integralblue.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
a10-b4l@xuon.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |a10-b4l@xuon.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
Not sure how what I said in the Fedora bug was unclear -- this is a bug in
Firefox, it needs to support TLSv1.3 Post-Handshake Authentication. There
isn't a mod_ssl problem here, mod_ssl is reporting that Firefox doesn't support
PHA.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62975] TLS 1.3: cannot perform post-handshake authentication
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62975
--- Comment #2 from Jens Lauterbach <la...@web.de> ---
(In reply to Joe Orton from comment #1)
> Not sure how what I said in the Fedora bug was unclear -- this is a bug in
> Firefox, it needs to support TLSv1.3 Post-Handshake Authentication. There
> isn't a mod_ssl problem here, mod_ssl is reporting that Firefox doesn't
> support PHA.
The same problem is also visible with Chrome in Android and Linux Environment.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org