Bug 1975201
Summary: | unable to connect to httpd+mod_ssl: SSL routines::sslv3 alert unexpected message | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Karel Srot <ksrot> |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Branislav Náter <bnater> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 9.0 | CC: | amoralej, bnater, hkario, jorton, luhliari, mspacek, sahana, vashirov |
Target Milestone: | beta | Keywords: | Regression, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | httpd-2.4.48-4.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-07 21:57:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karel Srot
2021-06-23 09:02:44 UTC
adding openssl s_client output: # openssl s_client -connect localhost:443 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = localhost verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = localhost verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = localhost verify return:1 --- Certificate chain 0 s:CN = localhost i:O = Example CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 23 09:11:58 2021 GMT; NotAfter: Jun 23 09:11:58 2022 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDCzCCAfOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt cGxlIENBMB4XDTIxMDYyMzA5MTE1OFoXDTIyMDYyMzA5MTE1OFowFDESMBAGA1UE AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweYZ W2UEcljWLBoqMVf1Dff+kKkwo/dsi43q8EKVvMgbq/gJMHoffLQI79yQy9oRsZUn pFpZlYWdrXtZAkaq97QRrs8IV7mhAaaTmrfTYzRq3T2bMTrF9KSYnlHF3drtCjoV Nf6W7L44zTYHiYJ573sqLkN+wnWNiJd+IJT21lKHdcq+SPv+WCRSxkZ9IYfcmH5v k0ZfRU/PFarHKzs1x7h9jyEKmX1dH3MGQgmakuiBeq2Vk2QN0wesT4niX/jNHHoT mAUgvtRumHbqKrvwk6rZCALzsdZtELIqRMTgOuhrGBiU8QfG54XWJOrHN7AgSYtt R1rXQGJl1LQFxLvszQIDAQABo2cwZTAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAww CgYIKwYBBQUHAwEwHQYDVR0OBBYEFPXedwIA3qiI9YWoubY7wvYu9BQ0MB8GA1Ud IwQYMBaAFJ0u+PGyU/hqqB1BSdFBrlpVEFK+MA0GCSqGSIb3DQEBCwUAA4IBAQAI QDsvU0ZtydlFgflXG6XYzxaxDsPTPKd+KDQCeNXHGCRwuaM0VvibzMvenOjRFfa3 w0VkIisuMf+gAQJx2UmeQry8HSdjMtWN3JO1t1unbwmOmWwVFAevD0cR7pl1CJmY rAflgsx+hDDrlbHaDBT+FSTlwXZhwsKNaqwjBwHttPBlj4SMj5cudE/jxpkMHij8 o+hgfjqZiuavBUawNfVBz+iNnFp1wS01xzszL/dDPM8XB5NFiOC98jjZW7MRR7xH VZ6zl6fL1bWfPHemUqBJWr5U+62pT0cYXTr/bQ63OzRL4/tJRX9HIFwrfWLboMaK TZKQSxgDyajbs/r/oyHZ -----END CERTIFICATE----- subject=CN = localhost issuer=O = Example CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1339 bytes and written 375 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 998FDAFF36A67BAFC3E63C38AF1132C19AB44EC81F1896590F10FB60BD87E90A Session-ID-ctx: Resumption PSK: A615151C5178ABBC5CBC2DCAA13C4389D8254694B547B1D8423AFC2B718493D28F883EBF04233FDA6FE79D231ED041F0 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 1c 4f 26 5a cd c9 53 0f-23 2c 55 a0 f8 0d 0f de .O&Z..S.#,U..... 0010 - bf cc 80 10 7e f3 29 22-aa 67 18 c9 8e 3b d0 6f ....~.)".g...;.o 0020 - 25 d9 70 96 ed 57 6e 21-cc 48 3a f5 84 da ef 4a %.p..Wn!.H:....J 0030 - d4 1d 06 4d a5 50 7b 92-e0 bc 97 2b 82 95 59 5d ...M.P{....+..Y] 0040 - 76 8c 3c f8 9a 53 24 f5-b2 e0 2f b9 ed 38 66 f8 v.<..S$.../..8f. 0050 - 75 1a dc bd a0 23 d3 48-4f 12 20 5a eb 42 3e 94 u....#.HO. Z.B>. 0060 - 87 a9 ef 17 c8 a5 4a 9e-ce cc 3e 67 71 22 a7 1f ......J...>gq".. 0070 - 36 1f 44 b9 b3 a5 7e 1c-b4 c5 c1 47 a0 4e 86 e9 6.D...~....G.N.. 0080 - bc cf f4 3b b2 8e ec 6d-02 01 ac 07 b2 fa 18 c1 ...;...m........ 0090 - a7 31 19 93 a4 26 6b 72-e1 1d 41 db 23 57 f0 87 .1...&kr..A.#W.. 00a0 - dc 18 2c fb 30 d8 e5 34-41 09 1b 3d ec c4 ce d6 ..,.0..4A..=.... 00b0 - ac 5a 0d 8d bd a4 49 d9-dc 82 4a 2e 58 93 d7 7e .Z....I...J.X..~ 00c0 - f7 2f d5 56 03 c5 31 e3-da 64 12 f9 27 08 92 11 ./.V..1..d..'... 00d0 - 73 ef 46 5e bb fa 04 3a-3c bd 62 14 a0 8e 14 fe s.F^...:<.b..... Start Time: 1624439727 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 185E1398CEA46B6946348A69CDBCB095ED0BF048281BD03E0E1C7A2771C666B9 Session-ID-ctx: Resumption PSK: E9C3C4EF4D61E73BF1B3DBDCE5472DAF70DDCCBA2ECDA6ADBF2831D8BFE3FF2A9793C60C91F73B750D740B36A7EDB48D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 1c 4f 26 5a cd c9 53 0f-23 2c 55 a0 f8 0d 0f de .O&Z..S.#,U..... 0010 - 22 3b ee 4b 2c e1 62 50-03 03 51 29 c4 a8 ae d7 ";.K,.bP..Q).... 0020 - 44 5c d4 97 dd 80 32 38-66 da 32 09 c9 8f 88 f2 D\....28f.2..... 0030 - b2 96 79 8d d6 b4 2e f6-bf f1 2b ff 49 6c 0d b1 ..y.......+.Il.. 0040 - 60 f1 5b c3 05 fc e8 8d-da d0 fc 55 24 1d 0a d0 `.[........U$... 0050 - ab d2 e8 42 18 da cd f7-ce 19 a0 d5 75 1c 9c f2 ...B........u... 0060 - 48 fe 7e 8f 82 ec 26 aa-18 5d 10 82 6d 1f 88 28 H.~...&..]..m..( 0070 - 6e c4 7c 38 db e9 f2 c1-70 1f 3f 59 66 05 22 88 n.|8....p.?Yf.". 0080 - c6 12 61 71 91 84 81 d4-64 7a ec bd ce a9 4c 65 ..aq....dz....Le 0090 - b2 73 46 11 ff 20 cb 24-10 17 41 31 83 24 91 b9 .sF.. .$..A1.$.. 00a0 - e6 5f 16 1a 73 12 fc 71-75 db b3 fd 87 1e b5 d8 ._..s..qu....... 00b0 - 6e b9 d3 95 2a 1f ed 5a-e7 09 a9 4e a7 fa cf e9 n...*..Z...N.... 00c0 - fb 40 72 46 7f 8b 93 21-df ec fd e3 03 42 4e 1a .@rF...!.....BN. 00d0 - 35 11 85 2f 02 66 10 21-d9 e8 77 fa 49 df 79 e1 5../.f.!..w.I.y. Start Time: 1624439727 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK <===================== CONNECTION HAS BEEN ESTABLISHED. AT THIS MOMENT I HAVE PRESSED ENTER 000003FF944F34A0:error:0A0003F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:ssl/record/rec_layer_s3.c:1588:SSL alert number 10 *** Bug 1974715 has been marked as a duplicate of this bug. *** The issue is not limited to s390x, I am updating the Hardware field accordingly. Can someone try https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=339791 This has the OpenSSL v3 compatibility fixes from upstream. (In reply to Joe Orton from comment #13) > Can someone try > https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=339791 > > This has the OpenSSL v3 compatibility fixes from upstream. Hi Joe, tested on x86_64 and it fixes the problem for me. Can't test s390x ATM as we are low on resources. And it works also for s390x. I guess we should move this bug to httpd then. Joe, did you see Hubert's comment #10? FYI, I've tested that httpd-2.4.48-4.el9.x86_64 fixes the issue reported with RDO deployment in https://bugzilla.redhat.com/show_bug.cgi?id=1974715 which was close as duplicated of this one. Regarding error-checking, thanks Hubert, I will address upstream. FWIW this is a copy&paste of the upstream example code, which also doesn't have error checking. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_tlsext_ticket_key_cb.html Note that we have quite a lot remaining test failures for httpd, please have some patience as we work through these. Branislav has waived the -4 build through to unblock testing of other components. (In reply to Joe Orton from comment #19) > Regarding error-checking, thanks Hubert, I will address upstream. FWIW this > is a copy&paste of the upstream example code, which also doesn't have error > checking. > > https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_tlsext_ticket_key_cb. > html yes, unfortunately upstream examples commonly omit error checking, I'll try to fix this particular instance BTW: the 3.0.0 version supports -DUNUSEDRESULT_DEBUG macro to make compiler emit warnings when methods that should have they return code checked don't (it's not defined for all: https://github.com/openssl/openssl/issues/15902 but hopefully will be soon) FYI httpd-2.4.48-4.el9 has been added to erratum and will be available in next development and nightly compose. |