enterprise-support team mailing list archive

Thread
Date

[Bug 1867223] [NEW] REMOTE_USER environmental variable not set for TLSv1.3 connections

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: JonH <jh_ml@xxxxxxxxxxxx>
Date: Thu, 12 Mar 2020 23:44:56 -0000
Reply-to: Bug 1867223 <1867223@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The recent backport of TLSv1.3 code to Ubuntu 18.04's version of apache2
breaks wsgi scripts that use client certificate authentication because
the REMOTE_USER environmental variable is not being set for a TLSv1.3
connection. I tracked down the cause and it is because this upstream
patch has not been included:
https://svn.apache.org/viewvc?view=revision&revision=1841218

Running Ubuntu 18.04.4 LTS
The bug was introduced in apache2-2.4.29-1ubuntu4.12
The affected source file is : httpd-2.4.29/modules/ssl/ssl_engine_kernel.c

What you expected to happen: When a wsgi script is called, using client
certificate authentication, and a TLSv1.3 connection is negotiated, the
environmental variable REMOTE_USER should be set to the client
certificate's CN. (SSLUserName SSL_CLIENT_S_DN_CN is set in the apache
config file)

What happened instead: The REMOTE_USER environmental variable doesn't
exist unless I restrict the connection to TLSv1.2.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apache2 2.4.29-1ubuntu4.12
ProcVersionSignature: Ubuntu 4.15.0-88.88-generic 4.15.18
Uname: Linux 4.15.0-88-generic x86_64
Apache2ConfdDirListing: False
Apache2Modules:
 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
 httpd (pid 19397) already running
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
Date: Thu Mar 12 23:09:34 2020
InstallationDate: Installed on 2020-03-04 (8 days ago)
InstallationMedia: Ubuntu-Server 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
 [Thu Mar 12 06:25:02.361354 2020] [ssl:warn] [pid 19397] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
 [Thu Mar 12 06:25:02.361788 2020] [mpm_prefork:notice] [pid 19397] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_wsgi/4.7.1 Python/3.6 configured -- resuming normal operations
 [Thu Mar 12 06:25:02.361812 2020] [core:notice] [pid 19397] AH00094: Command line: '/usr/sbin/apache2'
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-03-12T23:11:20.058759

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic uec-images

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1867223

Title:
  REMOTE_USER environmental variable not set for TLSv1.3 connections

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1867223/+subscriptions

Follow ups

[Bug 1867223] Re: REMOTE_USER environmental variable not set for TLSv1.3 connections
From: Launchpad Bug Tracker, 2020-03-18