Apache2 2.4.41 Causes TLSv1.3 Errors and Disconnects

Bug #1848577 reported by Daniel Doubet
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
New
Undecided
Unassigned

Bug Description

System: Ubuntu 18.04.3 LTS
ppa:ondrej/apache2 NOT default Ubuntu source.

I am using apache2 as a reverse proxy for the diaspora social network. It appears to only affect this site, and none of the other sites (Mastodon, Peertube, Wordpress, YOURLS, and Friendica to name a few).

On version 2.4.38, I can connect to sites using TLSv1.3 from Firefox and Chrome. If you were to use `curl -v https://diaspora.my.domain` you would receive output like:
```
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
```
And after updating to 2.4.41:
```
user@comp:~$ curl -v https://diaspora.my.domain
* Rebuilt URL to: https://diaspora.my.domain/
* Trying pub.lic.ip.adr...
* TCP_NODELAY set
* Connected to diaspora.my.domain (pub.lic.ip.adr) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=diaspora.my.domain
* start date: Sep 3 19:43:07 2019 GMT
* expire date: Dec 2 19:43:07 2019 GMT
* subjectAltName: host "diaspora.my.domain" matched cert's "diaspora.my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55df26b776b0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: diaspora.my.domain
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
```

Behaviour:
The website will load from cache, then never load. If no cache is used, the website never loads and eventually you get a server is not responding.

affects: php-console-table (Ubuntu) → apache2 (Ubuntu)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Daniel,
thanks for the report.

Such things always smell a bit like "intentionally done for security reasons", but then complexity sometimes is so high that one doesn't directly see what is going on and why. I didn't see anything suspicious in your logs, but the fact that it works for the other sites you listed makes me expect a subtle configuration difference.

I subscribed ubuntu-security if this behavior is in any way known or expected to let us know about it.

Since "ppa:ondrej/apache2" isn't really supported, you with your existing setup quickly check if the official 2.4.41-1ubuntu1 in Ubuntu 19.10 is affected as well?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.