[Bug 1833039] Re: 18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1

Andreas Hasenack andreas at canonical.com
Fri Jul 5 14:00:26 UTC 2019 

bionic verification

Confirming the bug with the distro packages:
# apt-cache policy apache2
apache2:
  Installed: 2.4.29-1ubuntu4.6
  Candidate: 2.4.29-1ubuntu4.6
  Version table:
 *** 2.4.29-1ubuntu4.6 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

index is downloaded, but after a long time:
root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10918  100 10918    0     0    705      0  0:00:15  0:00:15 --:--:--  2559
root at ubuntu:~# ll index.html
-rw-r--r-- 1 root root 10918 Jul  5 13:28 index.html

apache error log shows reqtimeout kicking in:
[Fri Jul 05 13:28:20.265457 2019] [reqtimeout:info] [pid 1760:tid 139887202260736] [client 10.0.100.235:34764] AH01382: Request body read timeout

access log confirms the client certificate was used:
10.0.100.235 - - [05/Jul/2019:13:28:04 +0000] "GET / HTTP/1.1" 200 16544 "-" "curl/7.58.0" protocol=TLSv1.2 commonName=client-auth

With the updated package:
 *** 2.4.29-1ubuntu4.7 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

The download is immediate:
root at ubuntu:~# rm index.html
root at ubuntu:~# curl --output index.html https://ubuntu/ --cacert /etc/apache2/cacert.pem --cert client-auth.pem --key client-auth.key --tlsv1.2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10918  100 10918    0     0   969k      0 --:--:-- --:--:-- --:--:--  969k
root at ubuntu:~# ll index.html
-rw-r--r-- 1 root root 10918 Jul  5 13:32 index.html

bionic verification succeeded


** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1833039

Title:
  18.04/Apache2: rejecting client initiated renegotiation due to openssl
  1.1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1833039/+subscriptions

More information about the Ubuntu-server-bugs mailing list