Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Bugs
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59
bugzilla at apache
Apr 5, 2024, 1:38 PM
Post #1 of 15 (197 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

Thomas Jarosch <thomas.jarosch@intra2net.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |thomas.jarosch@intra2net.co
| |m

--- Comment #1 from Thomas Jarosch <thomas.jarosch@intra2net.com> ---
Thanks for the report, I'm also seeing this.

Our automated QA suite for our distro identified the same issue. We
automatically test different ciphers. The DHE ciphers using TLS v1.2 no longer
work since upgrading from 2.4.58 to 2.4.59. Openssl version used is
openssl-1.1.1u here.

ECDHE ciphers still work, just DHE is affected. I've quickly browsed through
the 2.4.58..2.4.59 commits but didn't spot anything obvious. My gut feeling is
that it might be related to the changed openssl initialization, but that's a
wild guess.


This is our cipher configuration, DHE is de-prioritized to come last:

SSLCipherSuite
TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 5, 2024, 1:42 PM
Post #2 of 15 (197 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #2 from Thomas Jarosch <thomas.jarosch@intra2net.com> ---
"openssl s_client" command to specifically request a DHE cipher:

openssl s_client -state -cipher DHE -tls1_2 -connect HOSTNAME:443

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 5, 2024, 1:47 PM
Post #3 of 15 (197 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

Eric Covener <covener@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Version|2.5-HEAD |2.4.59

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 7, 2024, 11:57 PM
Post #4 of 15 (177 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #3 from Ruediger Pluem <rpluem@apache.org> ---
Can you please increase the loglevel to debug and provide the output from the
error log when starting apache and during a failed connection?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 1:02 AM
Post #5 of 15 (177 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #4 from paolo <paolo.ganci@nevis-security.com> ---
Created attachment 39653
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39653&action=edit
Log wit ssl:debug enabled

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 1:04 AM
Post #6 of 15 (177 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #5 from paolo <paolo.ganci@nevis-security.com> ---
Hi Ruediger,

I just attached the log you asked.

Here part where the connection fails:


[Mon Apr 08 10:00:13.507966 2024] [ssl:info] [pid 1597292:tid 140007736858176]
[client 127.0.0.1:37142] AH01964: Connection to child 5 established (server
localhost:44300)
[Mon Apr 08 10:00:13.508210 2024] [ssl:debug] [pid 1597292:tid 140007736858176]
ssl_engine_kernel.c(2425): [client 127.0.0.1:37142] AH02645: Server name not
provided via TLS extension (using default/first virtual host)
[Mon Apr 08 10:00:13.508337 2024] [ssl:info] [pid 1597292:tid 140007736858176]
[client 127.0.0.1:37142] AH02008: SSL library error 1 in handshake (server
localhost:44300)
[Mon Apr 08 10:00:13.508357 2024] [ssl:info] [pid 1597292:tid 140007736858176]
SSL Library Error: error:0A0000C1:SSL routines::no shared cipher -- Too
restrictive SSLCipherSuite or using DSA server certificate?
[Mon Apr 08 10:00:13.508363 2024] [ssl:info] [pid 1597292:tid 140007736858176]
[client 127.0.0.1:37142] AH01998: Connection closed to child 5 with abortive
shutdown (server localhost:44300)

Best Regards
Paolo

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 3:20 AM
Post #7 of 15 (172 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #6 from Ruediger Pluem <rpluem@apache.org> ---
Can you please check if the below patch fixes your issue?

Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1916856)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -1346,6 +1346,7 @@
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i;
EVP_PKEY *pkey;
+ int done = 0;
#ifdef HAVE_ECC
EC_GROUP *ecgroup = NULL;
int curve_nid = 0;
@@ -1518,7 +1519,7 @@
*/
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
if (certfile && !modssl_is_engine_id(certfile)) {
- int done = 0, num_bits = 0;
+ int num_bits = 0;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
DH *dh = modssl_dh_from_file(certfile);
if (dh) {
@@ -1546,7 +1547,7 @@
}
}
#if !MODSSL_USE_OPENSSL_PRE_1_1_API
- else {
+ if (!done) {
/* If no parameter is manually configured, enable auto
* selection. */
SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);




Can you check if adding explicit DH parameters (created via openssl dhparam
2048) to your certificate file fixes the issue with and without patch?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 3:23 AM
Post #8 of 15 (172 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

Ruediger Pluem <rpluem@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 4:02 AM
Post #9 of 15 (172 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #7 from paolo <paolo.ganci@nevis-security.com> ---
Hi Ruediger,

> Can you please check if the below patch fixes your issue?

yes, it does.



> Can you check if adding explicit DH parameters (created via openssl dhparam 2048) to your certificate file fixes the issue with and without patch?

Yes, adding the DH parameters to the certificate file works with and without
the patch

Many thanks

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 4:02 AM
Post #10 of 15 (172 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

paolo <paolo.ganci@nevis-security.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 6:06 AM
Post #11 of 15 (169 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #8 from Thomas Jarosch <thomas.jarosch@intra2net.com> ---
(In reply to Ruediger Pluem from comment #6)
> Can you please check if the below patch fixes your issue?

I can also confirm that the patch fixes the issue on openssl 1.1.1. Our openssl
related tests PASS using the patched httpd. The test also verifies the DHE
prime length is at least 2048 bits.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 6:19 AM
Post #12 of 15 (168 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

Ruediger Pluem <rpluem@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk,
| |PatchAvailable

--- Comment #9 from Ruediger Pluem <rpluem@apache.org> ---
Committed r1916863 to trunk.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 6:37 AM
Post #13 of 15 (168 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #10 from Thomas Jarosch <thomas.jarosch@intra2net.com> ---
thanks for the quick fix, Ruediger!

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 8, 2024, 6:40 AM
Post #14 of 15 (168 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #11 from paolo <paolo.ganci@nevis-security.com> ---
Hi Ruediger,

many thanks for the fix. When do you plan a new httpd containing this fix?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 68863] Requests using a DH-key of 2048 bytes are blocked since httpd/2.4.59 [ In reply to ]
bugzilla at apache
Apr 15, 2024, 11:31 PM
Post #15 of 15 (100 views)
Permalink
https://bz.apache.org/bugzilla/show_bug.cgi?id=68863

--- Comment #12 from Ruediger Pluem <rpluem@apache.org> ---
Proposed for backport as r1917010.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal