Apache2 2.4.41 Causes TLSv1.3 Errors and Disconnects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
System: Ubuntu 18.04.3 LTS
ppa:ondrej/apache2 NOT default Ubuntu source.
I am using apache2 as a reverse proxy for the diaspora social network. It appears to only affect this site, and none of the other sites (Mastodon, Peertube, Wordpress, YOURLS, and Friendica to name a few).
On version 2.4.38, I can connect to sites using TLSv1.3 from Firefox and Chrome. If you were to use `curl -v https:/
```
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
```
And after updating to 2.4.41:
```
user@comp:~$ curl -v https:/
* Rebuilt URL to: https:/
* Trying pub.lic.ip.adr...
* TCP_NODELAY set
* Connected to diaspora.my.domain (pub.lic.ip.adr) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=diaspora.
* start date: Sep 3 19:43:07 2019 GMT
* expire date: Dec 2 19:43:07 2019 GMT
* subjectAltName: host "diaspora.
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55df26b776b0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: diaspora.my.domain
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
```
Behaviour:
The website will load from cache, then never load. If no cache is used, the website never loads and eventually you get a server is not responding.
affects: | php-console-table (Ubuntu) → apache2 (Ubuntu) |
Hi Daniel,
thanks for the report.
Such things always smell a bit like "intentionally done for security reasons", but then complexity sometimes is so high that one doesn't directly see what is going on and why. I didn't see anything suspicious in your logs, but the fact that it works for the other sites you listed makes me expect a subtle configuration difference.
I subscribed ubuntu-security if this behavior is in any way known or expected to let us know about it.
Since "ppa:ondrej/ apache2" isn't really supported, you with your existing setup quickly check if the official 2.4.41-1ubuntu1 in Ubuntu 19.10 is affected as well?