apache2 doesn't compare SNI hostname against Host header case-insensitively

Bug #1298273 reported by Ritesh Khadgaray
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Unknown
Unknown
apache2 (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

[impact
Landscape client registration is fails with the following apache error message.
[Wed Mar 26 15:44:29 2014] [error] Hostname P122C-0-0-15680 provided via SNI and hostname p122c-0-0-15680 provided via HTTP are different.

it is because apache2 doesn't compare SNI hostname against Host header case-insensitively.
apache2 rejects connection request and returns 400 error code when the SNI doesn't match with requested.
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Therefore landscape client registration was failed.

- Precise 12.04 LTS
- apache2 : 2.2.22-1ubuntu1.4

[Test Case]
How reproducible is the problem?
( easily with the test case, intermittent, on every boot, etc)

 1. Create self-signed SSL certificate file with upper case hostname
 2. curl https://hostname/message-system --cacert xxxx
     a. Actual Results - apache returns 400 Bad request error.
     b. Expected Results - apache should return 200

[Regression Potential]
none, this has been merged into upstream and well tested.

[Other Info]
The same issue has been reported to apache upstream and the bug fix was applied at Aug 19 2013.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49491
It looks like this patch is not applied to apache2 package for precise yet.

Revision history for this message
Robie Basak (racb) wrote :

@Ritesh

Thank you for the patch. Please could you confirm that this is verified fixed in Trusty?

Revision history for this message
Robie Basak (racb) wrote :

Review note: the patch looks good (I've not tested), but can you add dep-3 headers to the quilt patch in the debdiff, please, so that it can be traced back to this bug?

Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :

@racb

  This fix is in trusty. This patch ha been tested by the customer, and I am able to successfully build against this patch. I have added dep3 header ( I hope correctly) .

Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :
Revision history for this message
Robie Basak (racb) wrote :

Looks good - thanks. I made a couple of minor tweaks in the dep3 headers, attached. I've also build tested this and I think it's fine to upload, but it turns out I don't have permission (though I think I should). Probably not worth bothering the DMB about, but I'll chase this and get it sponsored.

Revision history for this message
Robie Basak (racb) wrote :

Now in precise queue awaiting SRU team approval. Thanks Chuck! Unsubscribed ~ubuntu-sponsors.

Revision history for this message
C de-Avillez (hggdh2) wrote :

approved nomination for Precise, setting Ubuntu task as fix-released (works on Trusty)

Changed in apache2 (Ubuntu):
status: New → Fix Released
Robie Basak (racb)
Changed in apache2 (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Chris J Arges (arges) wrote :

Subscribed ~ubuntu-sru to this bug.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Ritesh, or anyone else affected,

Accepted apache2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apache2 (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Chris J Arges (arges) wrote :

This was verified by @janghoon:

I verified this bug on my test environment and the new package 2.2.22-1ubuntu1.6 fixed this bug.

Apache2-2.2.22-1ubuntu1.5
janghoon@ldsserver:/var/log/apache2$ dpkg -l | grep apache2
ii apache2 2.2.22-1ubuntu1.5 Apache HTTP Server metapackage

janghoon@lds-client:~$ sudo curl https://ldsserver.canonical.COM/message-system --cacert /etc/landscape/landscape_server_ca.crt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at ldsserver.canonical.com Port 443</address>
</body></html>

on apache error log,
[Wed May 07 18:47:57 2014] [error] Hostname ldsserver.canonical.COM provided via SNI and hostname ldsserver.canonical.com provided via HTTP are different

==============================
Apache2-2.2.22-1ubuntu1.6
janghoon@ldsserver:/var/log/apache2$ dpkg -l | grep apache2
ii apache2 2.2.22-1ubuntu1.6 Apache HTTP Server metapackage

janghoon@lds-client:~$ sudo curl https://ldsserver.canonical.COM/message-system --cacert /etc/landscape/landscape_server_ca.crt
No error returned.

I verified Apache2-2.2.22-1ubuntu1.6 uses case-insensitive comparison.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for apache2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.22-1ubuntu1.6

---------------
apache2 (2.2.22-1ubuntu1.6) precise; urgency=low

  * debian/patches/sni.patch:
    - apache2 doesn't compare SNI hostname against Host header
      case-insensitively (lp: #1298273)
 -- Ritesh Khadgaray <email address hidden> Thu, 27 Mar 2014 15:06:16 +0530

Changed in apache2 (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.