Re: [users@httpd] Re: Apache2 certificate authentication

[Landon <x...@mynetblog.com>]

On Tue, Jul 25, 2023 at 2:46 PM Daniel Ferradal <df...@apache.org>
wrote:

>
>
>
>
>>> [Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
>>> 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
>>> [Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library
>>> Error: error:0A000117:SSL routines::extension not received
>>>
>>
> This has nothing to do with your certificates, but with TLS protocol.
>
> This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox
> and enable post-handshake authentication and that's why apache is telling
> you that the extension is not being received as in firefox not sending it.
> (look for handshake keyword).
>
> When a directory configuration is different from general TLS
> configuration, such as when requiring a certificate in a subdirectory, a
> renegotiation occurs.
>
> Being TLSv1.3, browsers such as Firefox have it disabled by default. If
> your apache server only allows TLSv1.2 you won't have this issue. As per
> the reason why browsers are doing this, can't remember it exactly what it
> is, a google search should shed some light I guess.
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
>

The issue is discussed here...

https://stackoverflow.com/questions/73590620/delayed-certificate-in-tls-1-3

It references RFC 8446...
https://www.rfc-editor.org/rfc/rfc8446#section-4.2.6


And when I enable that "about:config" option in Firefox, does that work
correctly with TLSv1.3?

RFC 7540 explicitly forbids renegotiation after the actual HTTP/2 protocol
(inside the TLS) has been started.
https://www.rfc-editor.org/rfc/rfc7540#section-9.2.1

Landon