[Bug 60969] New: HTTP/2 & Certificate path can lead to 421

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 60969] New: HTTP/2 & Certificate path can lead to 421

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60969

            Bug ID: 60969
           Summary: HTTP/2 & Certificate path can lead to 421
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_http2
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

If we setup 2 virtualhosts using the same certificate but using different path
for the certificate Apache send 421 during browsing between both virtualhost.
Certificate is for *.mydomain.com
What is working:
<VirtualHost *:443>
ServerName test1.mydomain.com
SSLEngine on
SSLCertificateFile /home/test1.mydomain.com/ssl.cert
SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key
SSLCACertificateFile /home/test1.mydomain.com/ssl.ca
</VirtualHost>
<VirtualHost *:443>
ServerName test2.mydomain.com
SSLEngine on
SSLCertificateFile /home/test1.mydomain.com/ssl.cert
SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key
SSLCACertificateFile /home/test1.mydomain.com/ssl.ca
</VirtualHost>
What is not working (leading 421 if navigate between both virtualhost):
<VirtualHost *:443>
ServerName test1.mydomain.com
SSLEngine on
SSLCertificateFile /home/test1.mydomain.com/ssl.cert
SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key
SSLCACertificateFile /home/test1.mydomain.com/ssl.ca
</VirtualHost>
<VirtualHost *:443>
ServerName test2.mydomain.com
SSLEngine on
SSLCertificateFile /home/test2.mydomain.com/ssl.cert
SSLCertificateKeyFile /home/test2.mydomain.com/ssl.key
SSLCACertificateFile /home/test2.mydomain.com/ssl.ca
</VirtualHost>

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60969] HTTP/2 & Certificate path can lead to 421

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60969

Jonas Hünig <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Jonas Hünig <[hidden email]> ---
Are there any plans for this? This would help us as well.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60969] HTTP/2 & Certificate path can lead to 421

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60969

--- Comment #2 from [hidden email] ---
Also got hit by this.

The most likely culprit is ssl_pk_server_compatible() in
modules/ssl/ssl_engine_kernel.c - it checks for compatibility between vhosts by
comparing certificate file name instead of certificate itself.

That leads to a situation where browser correctly decides (based on information
available to it, namely subject alternative names) that it can reuse existing
connection, but Apache disagrees and returns error 421.

(Some browsers try again as allowed by rfc7540 9.1.2, but some don't and show
the error to the user.)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60969] HTTP/2 & Certificate path can lead to 421

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60969

--- Comment #3 from Joe Orton <[hidden email]> ---
Comment 2 looks right. It should be possible to enhance mod_ssl to do that, but
it would be complicated, you'd have to iterate through the configured certs for
the second context and compare with the currently used cert.  And this is a
critical path which has numerous security issues in the past.

So, nobody is planning to touch it, and it's pretty trivial to adjust your
configurations to avoid the issue in the first place.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60969] HTTP/2 & Certificate path can lead to 421

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60969

--- Comment #4 from Jonas Hünig <[hidden email]> ---
The issue is more, that you need to know that that configuration will create an
issue.

As most browsers like Firefox and chrome work on the surface (you see the 421
in network tab) the website won't work at all with error-prone browsers like
safari.

Another solution would be to see this as an invalid configuration and fail on
configcheck here.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]