Ubuntu
apache2 package

Merge ~ahasenack/ubuntu/+source/apache2:cosmic-client-cert-auth-fix into ubuntu/+source/apache2:ubuntu/cosmic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/apache2
  3. cosmic-client-cert-auth-fix
  4. Merge into ubuntu/cosmic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 01570eebd1b21cf3f2d510584c70c387e2759be4
Merge reported by: Andreas Hasenack
Merged at revision: de1b0129e46a8ba1cbf7a9ca4d0c304af9263173
Proposed branch: ~ahasenack/ubuntu/+source/apache2:cosmic-client-cert-auth-fix
Merge into: ubuntu/+source/apache2:ubuntu/cosmic-devel
Diff against target: 71 lines (+49/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/disable-ssl-1.1.1-auto-retry.patch (+41/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Bryce Harrington (community) Approve
Christian Ehrhardt  (community) Needs Fixing
Dimitri John Ledkov Pending
Canonical Server Pending
Review via email: mp+369541@code.launchpad.net

Description of the change

PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-1833039

sudo add-apt-repository ppa:ahasenack/apache2-client-cert-1833039 -y -u

The bug has the SRU template filled out, including a test case. It may sound daunting at first, but the certificates are all pre-made and are attached to the bug.

About the actual patch, I kept it as "upstream" as possible, just removing the hunk that is not needed to fix this bug. I therefore made no backport claim, but I did change the patch by removing that hunk and its explanation. It applies, but is unneeded as far as I can tell (only relevant for TLSv1.3). If you feel I should keep it as well, or change the patch to be an actual backport (and therefore refresh it, remove diff noise, apply all our dep3 header lines, etc), please let me know.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I think the choice on the removed hunk without refresh is fine.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For whatever reason the description in this patch misses a "w" (not int he other branch).
"that was kept" vs "that as kept"

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Patch LGTM +1, but I have no time to give it a try.
If someone else could to give this a full ack then that would be great.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for catching that typo, it shows I forgot to push this branch and what is in lp is stale.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

DEP8 tests passed:
$ tail -n 20 dep8-cosmic/log
+ a2enconf chroot
Enabling conf chroot.
To activate the new configuration, you need to run:
  systemctl reload apache2
+ echo Hello, world!
+ service apache2 restart
+ wget -qO- http://localhost/hello.txt
+ result=Hello, world!
+ [ Hello, world! != Hello, world! ]
autopkgtest [17:58:28]: test chroot: -----------------------]
autopkgtest [17:58:29]: test chroot: - - - - - - - - - - results - - - - - - - - - -
chroot PASS
autopkgtest [17:58:29]: @@@@@@@@@@@@@@@@@@@@ summary
run-test-suite PASS
duplicate-module-load PASS
htcacheclean PASS
default-mods PASS
ssl-passphrase PASS
check-http2 PASS
chroot PASS

Revision history for this message
Bryce Harrington (bryce) wrote :

Review comments & testing log on MR #369542 (bionic).

I don't see the spelling error Christian mentioned, just the 'availabe' one, so presuming this is the up to date version.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fixed the same typo as in the bionic branch ("availabe")

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the reviews and testing, tagged and uploaded:
$ git push pkg upload/2.4.34-1ubuntu2.2
Enumerating objects: 22, done.
Counting objects: 100% (22/22), done.
Delta compression using up to 2 threads
Compressing objects: 100% (13/13), done.
Writing objects: 100% (14/14), 2.37 KiB | 39.00 KiB/s, done.
Total 14 (delta 10), reused 1 (delta 1)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/apache2
 * [new tag] upload/2.4.34-1ubuntu2.2 -> upload/2.4.34-1ubuntu2.2

$ dput ubuntu ../apache2_2.4.34-1ubuntu2.2_source.changes
Checking signature on .changes
gpg: ../apache2_2.4.34-1ubuntu2.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../apache2_2.4.34-1ubuntu2.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.34-1ubuntu2.2.dsc: done.
  Uploading apache2_2.4.34-1ubuntu2.2.debian.tar.xz: done.
  Uploading apache2_2.4.34-1ubuntu2.2_source.buildinfo: done.
  Uploading apache2_2.4.34-1ubuntu2.2_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was released already.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 8a4eeda..358d940 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+apache2 (2.4.34-1ubuntu2.2) cosmic; urgency=medium
7+
8+ * d/p/disable-ssl-1.1.1-auto-retry.patch: fix client certificate
9+ authentication when built with openssl 1.1.1 (LP: #1833039)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Fri, 28 Jun 2019 17:41:48 -0300
12+
13 apache2 (2.4.34-1ubuntu2.1) cosmic-security; urgency=medium
14
15 * SECURITY UPDATE: slowloris DoS in mod_http2
16diff --git a/debian/patches/disable-ssl-1.1.1-auto-retry.patch b/debian/patches/disable-ssl-1.1.1-auto-retry.patch
17new file mode 100644
18index 0000000..3465113
19--- /dev/null
20+++ b/debian/patches/disable-ssl-1.1.1-auto-retry.patch
21@@ -0,0 +1,41 @@
22+From bbedd8b80e50647e09f2937455cc57565d94a844 Mon Sep 17 00:00:00 2001
23+From: Joe Orton <jorton@apache.org>
24+Date: Wed, 12 Sep 2018 15:54:59 +0000
25+Subject: [PATCH] Merge r1840710 from trunk:
26+
27+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
28+ Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
29+ post-handshake authentication.
30+
31+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840711 13f79535-47bb-0310-9956-ffa450edef68
32+---
33+ modules/ssl/ssl_engine_init.c | 14 ++++++++++++++
34+ 1 file changed, 14 insertions(+)
35+
36+ Ubuntu note: the second hunk of the patch, modifying ssl_init_proxy_certs(),
37+ was dropped from this patch because the post-handshake authentication is only
38+ available in TLSv1.3, which is not available in this version of Apache. The hunk
39+ that was kept does affect TLSv1.2, however.
40+
41+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039
42+Origin: upstream, https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a844
43+Last-Update: 2019-06-28
44+
45+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
46+index 85d43376b2a..b7b2be796c2 100644
47+--- a/modules/ssl/ssl_engine_init.c
48++++ b/modules/ssl/ssl_engine_init.c
49+@@ -761,6 +761,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
50+ SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
51+ #endif
52+
53++#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
54++ /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible
55++ * to consume handshake records without blocking for app-data.
56++ * https://github.com/openssl/openssl/issues/7178 */
57++ SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
58++#endif
59++
60+ return APR_SUCCESS;
61+ }
62+
63diff --git a/debian/patches/series b/debian/patches/series
64index 32c4a86..a9024fe 100644
65--- a/debian/patches/series
66+++ b/debian/patches/series
67@@ -21,3 +21,4 @@ CVE-2019-0217.patch
68 CVE-2019-0220-1.patch
69 CVE-2019-0220-2.patch
70 CVE-2019-0220-3.patch
71+disable-ssl-1.1.1-auto-retry.patch

Subscribers

People subscribed via source and target branches