enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #08062
[Bug 1867223] [NEW] REMOTE_USER environmental variable not set for TLSv1.3 connections
Public bug reported:
The recent backport of TLSv1.3 code to Ubuntu 18.04's version of apache2
breaks wsgi scripts that use client certificate authentication because
the REMOTE_USER environmental variable is not being set for a TLSv1.3
connection. I tracked down the cause and it is because this upstream
patch has not been included:
https://svn.apache.org/viewvc?view=revision&revision=1841218
Running Ubuntu 18.04.4 LTS
The bug was introduced in apache2-2.4.29-1ubuntu4.12
The affected source file is : httpd-2.4.29/modules/ssl/ssl_engine_kernel.c
What you expected to happen: When a wsgi script is called, using client
certificate authentication, and a TLSv1.3 connection is negotiated, the
environmental variable REMOTE_USER should be set to the client
certificate's CN. (SSLUserName SSL_CLIENT_S_DN_CN is set in the apache
config file)
What happened instead: The REMOTE_USER environmental variable doesn't
exist unless I restrict the connection to TLSv1.2.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apache2 2.4.29-1ubuntu4.12
ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
Uname: Linux 4.15.0-88-generic x86_64
Apache2ConfdDirListing: False
Apache2Modules:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
httpd (pid 19397) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
Date: Thu Mar 12 23:09:34 2020
InstallationDate: Installed on 2020-03-04 (8 days ago)
InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
[Thu Mar 12 06:25:02.361354 2020] [ssl:warn] [pid 19397] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Mar 12 06:25:02.361788 2020] [mpm_prefork:notice] [pid 19397] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.7.1 Python/3.6 configured -- resuming normal operations
[Thu Mar 12 06:25:02.361812 2020] [core:notice] [pid 19397] AH00094: Command line: '/usr/sbin/apache2'
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-03-12T23:11:20.058759
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic uec-images
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1867223
Title:
REMOTE_USER environmental variable not set for TLSv1.3 connections
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1867223/+subscriptions
Follow ups