Description of problem: On rawhide I ran distro-sync, httpd was updated to -4, and clients fail to connect to Apache now: $ openssl s_client -host `hostname` -port 443 CONNECTED(00000003) depth=1 C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:C = US, O = Unspecified, CN = localhost.localdomain, emailAddress = root i:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root 1 s:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root i:C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root --- Server certificate -----BEGIN CERTIFICATE----- <snip auto-generated cert data> -----END CERTIFICATE----- subject=C = US, O = Unspecified, CN = localhost.localdomain, emailAddress = root issuer=C = US, O = Unspecified, OU = ca-2277548965971357142, CN = localhost.localdomain, emailAddress = root --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3400 bytes and written 445 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: Session-ID-ctx: Master-Key: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1534784853 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no --- read:errno=0 Apache logs: [ssl:error] [pid 4645:tid 140592113768192] [client ::1:42982] AH02042: rejecting client initiated renegotiation Curl fails in the same way: # curl -kv https://localhost/ * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Client hello (1): * TLSv1.3 (OUT), TLS handshake, [no content] (0): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=US; O=Unspecified; CN=localhost.localdomain; emailAddress=root * start date: Aug 17 19:30:17 2018 GMT * expire date: Aug 22 21:10:17 2019 GMT * issuer: C=US; O=Unspecified; OU=ca-2277548965971357142; CN=localhost.localdomain; emailAddress=root * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. * TLSv1.3 (OUT), TLS app data, [no content] (0): > GET / HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.0 > Accept: */* > * Empty reply from server * Connection #0 to host localhost left intact curl: (52) Empty reply from server With curl specifying the protocol to use still fails (e.g. -tls1_2) but with openssl specifying a protocol < 1.3 succeeds in connecting. Version-Release number of selected component (if applicable): httpd-2.4.34-4.fc29.x86_64 mod_ssl-2.4.34-4.fc29.x86_64 openssl-1.1.1-0.pre8.4.fc29.x86_64
Commit: http://pkgs.fedoraproject.org/rpms/httpd/c/b52ebeb33d4b79ff9ec399502499fc92b56a3ee1
Package: httpd-2.4.34-5.fc29 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=No such build: httpd-2.4.34-5.fc29
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=1138043
Confirmed as working now, thanks.
It looks like this was maybe only fixed on Rawhide? I don't see an f29 build with similar timestamp or nvr: https://koji.fedoraproject.org/koji/packageinfo?packageID=280 I think I am experiencing this on my f29 httpd server as well.
I am proposing this as a Fedora 29 blocker.
I hope you don't mind - I'm also going to set this back to ASSIGNED so it's clear there are still changes needed.
I'm +1 Freeze Exception here, but I'm not aware of any Beta-blocking criterion that httpd violates.
I confess that I'm not fully familiar with the beta blocking criterion. I just read a bit about it at the very long page about f29 beta blockers[0]. If httpd isn't part of the test plan for beta testing, then I suppose I agree. Should we mark it as a final blocker instead? [0] https://fedoraproject.org/wiki/Fedora_29_Beta_Release_Criteria#Beta_Blocker_Bugs
httpd is indirectly part of the Basic criteria, via the FreeIPA requirements - https://fedoraproject.org/wiki/Basic_Release_Criteria#freeipa-server-requirements : "...The web UI must be available and allow at least basic configuration of user accounts and permissions..." FreeIPA tests have failed for the last several Rawhide/Branched composes, this could be (part of) the reason. I hadn't had time to investigate it yet as I was working on the *F27* FreeIPA breakage we had instead...
Ah, I forgot about the FreeIPA side of things. Yeah, if that's breaking FreeIPA's web UI, then this is definitely a blocker.
Since it was Rob that reported it I was kinda assuming that was the consequence, however in fact in today's Rawhide testing, the FreeIPA web UI seems to be working OK. The tests break at other points, but the web UI does seem to work. Perhaps this is an upgrade-only bug, and it works on fresh install?
Package: httpd-2.4.34-5.fc29
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=1139990
Hi Joe! Since Bodhi was activated for Fedora 29 today, can you also make an update?
httpd-2.4.34-5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a50c9c90b9
I'm at least +1 FE for this. +1 blocker if it really breaks the FreeIPA web UI on upgrade or something.
Same. +1 FE, +1 blocker if it breaks FreeIPA.
httpd-2.4.34-5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a50c9c90b9
That's +3 FE (Stephen, Kevin and me) so setting Accepted.
Discussed during the 2018-09-04 blocker review meeting: [1] The decision to delay the classification of this as a bug was made as it's still not clear if there's a criteria violation here, and it's already accepted as a freeze exception. We will try to clarify if there's a criteria violation here in time for next week. [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-09-04/f29-blocker-review.2018-09-04-16.01.txt
httpd-2.4.34-5.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Commit: http://pkgs.fedoraproject.org/rpms/httpd/c/369db50dd0f2e26d94699d80e69ae0e196fb585c
Package: httpd-2.4.34-6.fc29
Dropping AcceptedFreezeException, as we gave the exception for the previous build. Not sure if it's worth taking further changes as FE now unless there's a clear impact on a supported workflow, might be just fine to leave them as regular updates.
httpd-2.4.34-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92
httpd-2.4.34-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92
httpd-2.4.34-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.