Bug 1619389 - mod_ssl does not work with TLS 1.3-enabled openssl
Summary: mod_ssl does not work with TLS 1.3-enabled openssl
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Luboš Uhliarik ✈
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F29BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2018-08-20 17:21 UTC by Rob Crittenden
Modified: 2018-10-02 19:28 UTC (History)
12 users (show)

Fixed In Version: httpd-2.4.34-6.fc29 httpd-2.4.34-8.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-02 19:28:33 UTC


Attachments (Terms of Use)

Description Rob Crittenden 2018-08-20 17:21:06 UTC
Description of problem:

On rawhide I ran distro-sync, httpd was updated to -4, and clients fail to connect to Apache now:

$ openssl s_client -host `hostname` -port 443
CONNECTED(00000003)
depth=1 C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:C = US, O = Unspecified, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
   i:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
 1 s:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
   i:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip auto-generated cert data>
-----END CERTIFICATE-----
subject=C = US, O = Unspecified, CN = localhost.localdomain, emailAddress = root@localhost.localdomain

issuer=C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root@localhost.localdomain

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3400 bytes and written 445 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1534784853
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---
read:errno=0

Apache logs:

[ssl:error] [pid 4645:tid 140592113768192] [client ::1:42982] AH02042: rejecting client initiated renegotiation

Curl fails in the same way:

# curl -kv https://localhost/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; O=Unspecified; CN=localhost.localdomain; emailAddress=root@localhost.localdomain
*  start date: Aug 17 19:30:17 2018 GMT
*  expire date: Aug 22 21:10:17 2019 GMT
*  issuer: C=US; O=Unspecified; OU=ca-2277548965971357142; CN=localhost.localdomain; emailAddress=root@localhost.localdomain
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.0
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

With curl specifying the protocol to use still fails (e.g. -tls1_2) but with openssl specifying a protocol < 1.3 succeeds in connecting.

Version-Release number of selected component (if applicable):

httpd-2.4.34-4.fc29.x86_64
mod_ssl-2.4.34-4.fc29.x86_64
openssl-1.1.1-0.pre8.4.fc29.x86_64

Comment 2 Joe Orton 2018-08-21 07:47:27 UTC
Package: httpd-2.4.34-5.fc29
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=No such build: httpd-2.4.34-5.fc29

Comment 4 Rob Crittenden 2018-08-21 12:55:57 UTC
Confirmed as working now, thanks.

Comment 5 Randy Barlow 2018-08-23 17:37:20 UTC
It looks like this was maybe only fixed on Rawhide? I don't see an f29 build with similar timestamp or nvr:

https://koji.fedoraproject.org/koji/packageinfo?packageID=280

I think I am experiencing this on my f29 httpd server as well.

Comment 6 Randy Barlow 2018-08-27 14:08:52 UTC
I am proposing this as a Fedora 29 blocker.

Comment 7 Randy Barlow 2018-08-27 16:30:39 UTC
I hope you don't mind - I'm also going to set this back to ASSIGNED so it's clear there are still changes needed.

Comment 8 Stephen Gallagher 2018-08-27 16:39:03 UTC
I'm +1 Freeze Exception here, but I'm not aware of any Beta-blocking criterion that httpd violates.

Comment 9 Randy Barlow 2018-08-27 16:52:56 UTC
I confess that I'm not fully familiar with the beta blocking criterion. I just read a bit about it at the very long page about f29 beta blockers[0]. If httpd isn't part of the test plan for beta testing, then I suppose I agree. Should we mark it as a final blocker instead?


[0] https://fedoraproject.org/wiki/Fedora_29_Beta_Release_Criteria#Beta_Blocker_Bugs

Comment 10 Adam Williamson 2018-08-27 17:16:36 UTC
httpd is indirectly part of the Basic criteria, via the FreeIPA requirements - https://fedoraproject.org/wiki/Basic_Release_Criteria#freeipa-server-requirements : "...The web UI must be available and allow at least basic configuration of user accounts and permissions..."

FreeIPA tests have failed for the last several Rawhide/Branched composes, this could be (part of) the reason. I hadn't had time to investigate it yet as I was working on the *F27* FreeIPA breakage we had instead...

Comment 11 Stephen Gallagher 2018-08-27 17:52:04 UTC
Ah, I forgot about the FreeIPA side of things. Yeah, if that's breaking FreeIPA's web UI, then this is definitely a blocker.

Comment 12 Adam Williamson 2018-08-28 01:05:17 UTC
Since it was Rob that reported it I was kinda assuming that was the consequence, however in fact in today's Rawhide testing, the FreeIPA web UI seems to be working OK. The tests break at other points, but the web UI does seem to work. Perhaps this is an upgrade-only bug, and it works on fresh install?

Comment 13 Joe Orton 2018-08-28 07:11:32 UTC
Package: httpd-2.4.34-5.fc29

Comment 15 Randy Barlow 2018-08-28 18:16:19 UTC
Hi Joe!

Since Bodhi was activated for Fedora 29 today, can you also make an update?

Comment 16 Fedora Update System 2018-08-29 07:02:21 UTC
httpd-2.4.34-5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a50c9c90b9

Comment 17 Fedora Update System 2018-08-29 19:06:30 UTC
httpd-2.4.34-5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a50c9c90b9

Comment 18 Adam Williamson 2018-08-29 21:49:26 UTC
I'm at least +1 FE for this. +1 blocker if it really breaks the FreeIPA web UI on upgrade or something.

Comment 19 Kevin Fenzi 2018-08-29 23:11:12 UTC
Same. +1 FE, +1 blocker if it breaks FreeIPA.

Comment 20 Fedora Update System 2018-08-29 23:14:06 UTC
httpd-2.4.34-5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a50c9c90b9

Comment 21 Adam Williamson 2018-08-30 03:30:15 UTC
That's +3 FE (Stephen, Kevin and me) so setting Accepted.

Comment 22 Geoffrey Marr 2018-09-04 20:27:44 UTC
Discussed during the 2018-09-04 blocker review meeting: [1]

The decision to delay the classification of this as a bug was made as it's still not clear if there's a criteria violation here, and it's already accepted as a freeze exception. We will try to clarify if there's a criteria violation here in time for next week.

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-09-04/f29-blocker-review.2018-09-04-16.01.txt

Comment 23 Fedora Update System 2018-09-05 01:08:41 UTC
httpd-2.4.34-5.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Joe Orton 2018-09-18 13:12:12 UTC
Package: httpd-2.4.34-6.fc29

Comment 26 Adam Williamson 2018-09-18 16:33:49 UTC
Dropping AcceptedFreezeException, as we gave the exception for the previous build. Not sure if it's worth taking further changes as FE now unless there's a clear impact on a supported workflow, might be just fine to leave them as regular updates.

Comment 27 Fedora Update System 2018-09-21 14:45:34 UTC
httpd-2.4.34-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92

Comment 28 Fedora Update System 2018-09-22 20:04:12 UTC
httpd-2.4.34-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92

Comment 29 Fedora Update System 2018-10-02 19:28:33 UTC
httpd-2.4.34-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.