'[Bug 62975] New: TLS 1.3: cannot perform post-handshake authentication'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 62975] New: TLS 1.3: cannot perform post-handshake authentication
From:       bugzilla () apache ! org
Date:       2018-12-03 17:53:39
Message-ID: bug-62975-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62975

            Bug ID: 62975
           Summary: TLS 1.3: cannot perform post-handshake authentication
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: candrews@integralblue.com
  Target Milestone: ---

When using OpenSSL 1.1.1 with Apache 2.4.37, client authentication files with
these messages logged:

[Tue Nov 20 13:20:57.718509 2018] [ssl:error] [pid 8117] [client x.x.x.x:35692]
AH: verify client post handshake
[Tue Nov 20 13:20:57.718565 2018] [ssl:error] [pid 8117] [client x.x.x.x:35692]
AH10158: cannot perform post-handshake authentication
[Tue Nov 20 13:20:57.718591 2018] [ssl:error] [pid 8117] SSL Library Error:
error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not
received

This problem does not occur if:
* OpenSSL 1.0.x is used
* If TLS 1.3 is explicitly disabled using the "SSLProtocol TLSv1.2" directive
* If "SSLVerifyClient require" is moved out of a Location/Directory block and
is directly in a VirtualHost section

Here's the vhost configuration I'm using:
SSLCACertificateFile /etc/ssl/DoD_CAs.pem
SSLOCSPEnable on
<Directory /var/www/localhost/htdocs/cac>
        SSLOptions +StrictRequire
        SSLRequireSSL
        SSLVerifyClient require
        SSLVerifyDepth  10
        SSLOptions +FakeBasicAuth
</Directory>

The browser used is Firefox 63.0.3.

This issue was also reported at:
* https://bugzilla.redhat.com/show_bug.cgi?id=1651623
*
https://stackoverflow.com/questions/53062504/apache-2-4-37-with-openssl-1-1-1-cannot-perform-post-handshake-authentication


Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic