Created attachment 39648 [details] The SSLCertificateFile and SSLCertificateKeyFile After upgrading from httpd/2.4.58 to httpd/2.4.59 servers using a DH certificate with a key size of 2048 bytes may not work any more. I've got the following ssl configuration: SSLEngine On SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite DH:!EXPORT56:RC4-MD5:DES-CBC3-SHA:EXP-RC4-MD5 SSLOptions +OptRenegotiate +StdEnvVars SSLCertificateFile /home/paolo/test/server/keystore/test_2048.pem SSLCertificateKeyFile /home/paolo/test/server/keystore/test_2048Key.pem SSLInsecureRenegotiation off SSLHonorCipherOrder on SSLSessionTickets off The OpenSSL version is OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) When starting apache with httpd/2.4.58 and connecting to it via openssl s_client I get this: openssl s_client -tls1_2 -connect localhost:44300 ... 0:<Server certificate 0:<-----BEGIN CERTIFICATE----- 0:<MIIDODCCAiCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQGEwJDSDAe 0:<Fw0yNDA0MDUwODIzNTBaFw0yOTA0MDUwODIzNTBaMBgxFjAUBgNVBAMMDVNpbXBs 0:<ZVRlc3RSZXEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4qi13ZjCg 0:<nCESwyFmRmsq+qEtyxtq3J4vXU6mrGAvU8uq4xsdO//nxtHGvSDfiOHM2+id+NUF 0:<9Bn0PurGsGngzsSqTXzRR8nEa1AYklRkxxWl2s+4Zh5m4Lm4ifACs8fBitBDfVgV 0:<gcYx5+EHPKfbk9RIMeRAidC4EFqRiur9wDLxRPsnSyfpU/lfaHIK+GOYWvh8t4Dy 0:<iVwIC+21CezIG3IzKfAVDQ6eD+TD5VfsjK9zN1F/7D3en0Xdwkm0UAwjfg6jMX6v 0:<dAWkL0x7H0l9KNOTzKW7V9zkFR23+QRWHcvj7R8UTmDPw97kRDBeccfUN5PxsCor 0:<KWOGSRRbr6yjAgMBAAGjgZcwgZQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMC 0:<BsAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRg2+404TZzjbiZHaQ/lQBFCmg2gzBI 0:<BgNVHSMEQTA/gBRqPOYH/lexZ/vZ7u81zWU1vUvmYaERpA8wDTELMAkGA1UEBhMC 0:<Q0iCFBKEUv96DWJaCMf07DQb3qlaVsa1MA0GCSqGSIb3DQEBCwUAA4IBAQByukU1 0:<awslcvaPgVCaZi78Ch4KTPPMyKBlNkTE4Z1XQvoAbNXHrJvebloZ5Dro2yidjCq0 0:<FKqx0J6bY1xIIf+E/qHqsj5xcKr5RrE43PKpMLxc39zuGeXAf92BMHK+SwVctd9p 0:<ZZeB0ISp2hz4BYb2DGXOt+76bnAutnXQ9L5XAxMk3v75V1DaodqfRUZbTbiny0bB 0:<HD9HLFcKB+HRVXvfAOMBMl9yiz4NokUyUgbF6XJeh9H7JMuz4ZojJkz0ezzVhW/4 0:<t9B6lMcp9rOvNV6ZycgD8U/ToIgtRuCdvSmPCkhA+rCxUCRibra7BZW0rREZFSgo 0:<VA5KodiOcwsisSBd 0:<-----END CERTIFICATE----- 0:<subject=CN = SimpleTestReq 0:<issuer=C = CH 0:<--- 0:<No client certificate CA names sent 0:<Peer signing digest: SHA256 0:<Peer signature type: RSA-PSS 0:<Server Temp Key: DH, 2048 bits 0:<--- 0:<SSL handshake has read 1749 bytes and written 506 bytes 0:<Verification error: unable to verify the first certificate 0:<--- 0:<New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384 0:<Server public key is 2048 bit 0:<Secure Renegotiation IS supported 0:<No ALPN negotiated 0:<SSL-Session: 0:< Protocol : TLSv1.2 0:< Cipher : DHE-RSA-AES256-GCM-SHA384 0:< Session-ID: 0:< Session-ID-ctx: 0:< Master-Key: 98175FDC64B521BE80F5893CB0A46A066941454165A03F6BA3862E797E80BC4EFA1BBBD70304FCDD63C717D778C9B66F 0:< PSK identity: None 0:< PSK identity hint: None 0:< SRP username: None 0:< Start Time: 1712317986 0:< Timeout : 7200 (sec) 0:< Verify return code: 21 (unable to verify the first certificate) 0:< Extended master secret: yes 0:<--- OK ... But when starting httpd/2.4.59, the connection fails: openssl s_client -tls1_2 -connect localhost:44300 ... 0:<--- 0:<no peer certificate available 0:<--- 0:<No client certificate CA names sent 0:<--- 0:<SSL handshake has read 7 bytes and written 188 bytes 0:<Verification: OK 0:<--- 0:<New, (NONE), Cipher is (NONE) 0:<Secure Renegotiation IS NOT supported 0:<No ALPN negotiated 0:<SSL-Session: 0:< Protocol : TLSv1.2 0:< Cipher : 0000 0:< Session-ID: 0:< Session-ID-ctx: 0:< Master-Key: 0:< PSK identity: None 0:< PSK identity hint: None 0:< SRP username: None 0:< Start Time: 1712320231 0:< Timeout : 7200 (sec) 0:< Verify return code: 0 (ok) 0:< Extended master secret: no 0:<--- ... The issue can be easily reproduced with the attached key and certificate. Many thanks for fixing this issue. PS: a small side note. When starting the server via openssl_s_server: openssl s_server -port 44300 -cert /home/paolo/test/server/keystore/test_2048.pem -key /home/paolo/test/server/keystore/test_2048Key.pem -cipher 'DH:!EXPORT56:RC4-MD5:DES-CBC3-SHA:EXP-RC4-MD5' Then the output of the openssl s_client command is the same like when using httpd/2.4.58.
Thanks for the report, I'm also seeing this. Our automated QA suite for our distro identified the same issue. We automatically test different ciphers. The DHE ciphers using TLS v1.2 no longer work since upgrading from 2.4.58 to 2.4.59. Openssl version used is openssl-1.1.1u here. ECDHE ciphers still work, just DHE is affected. I've quickly browsed through the 2.4.58..2.4.59 commits but didn't spot anything obvious. My gut feeling is that it might be related to the changed openssl initialization, but that's a wild guess. This is our cipher configuration, DHE is de-prioritized to come last: SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 SSLProtocol -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
"openssl s_client" command to specifically request a DHE cipher: openssl s_client -state -cipher DHE -tls1_2 -connect HOSTNAME:443
Can you please increase the loglevel to debug and provide the output from the error log when starting apache and during a failed connection?
Created attachment 39653 [details] Log wit ssl:debug enabled
Hi Ruediger, I just attached the log you asked. Here part where the connection fails: [Mon Apr 08 10:00:13.507966 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH01964: Connection to child 5 established (server localhost:44300) [Mon Apr 08 10:00:13.508210 2024] [ssl:debug] [pid 1597292:tid 140007736858176] ssl_engine_kernel.c(2425): [client 127.0.0.1:37142] AH02645: Server name not provided via TLS extension (using default/first virtual host) [Mon Apr 08 10:00:13.508337 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH02008: SSL library error 1 in handshake (server localhost:44300) [Mon Apr 08 10:00:13.508357 2024] [ssl:info] [pid 1597292:tid 140007736858176] SSL Library Error: error:0A0000C1:SSL routines::no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate? [Mon Apr 08 10:00:13.508363 2024] [ssl:info] [pid 1597292:tid 140007736858176] [client 127.0.0.1:37142] AH01998: Connection closed to child 5 with abortive shutdown (server localhost:44300) Best Regards Paolo
Can you please check if the below patch fixes your issue? Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1916856) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -1346,6 +1346,7 @@ const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; int i; EVP_PKEY *pkey; + int done = 0; #ifdef HAVE_ECC EC_GROUP *ecgroup = NULL; int curve_nid = 0; @@ -1518,7 +1519,7 @@ */ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); if (certfile && !modssl_is_engine_id(certfile)) { - int done = 0, num_bits = 0; + int num_bits = 0; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh = modssl_dh_from_file(certfile); if (dh) { @@ -1546,7 +1547,7 @@ } } #if !MODSSL_USE_OPENSSL_PRE_1_1_API - else { + if (!done) { /* If no parameter is manually configured, enable auto * selection. */ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); Can you check if adding explicit DH parameters (created via openssl dhparam 2048) to your certificate file fixes the issue with and without patch?
Hi Ruediger, > Can you please check if the below patch fixes your issue? yes, it does. > Can you check if adding explicit DH parameters (created via openssl dhparam 2048) to your certificate file fixes the issue with and without patch? Yes, adding the DH parameters to the certificate file works with and without the patch Many thanks
(In reply to Ruediger Pluem from comment #6) > Can you please check if the below patch fixes your issue? I can also confirm that the patch fixes the issue on openssl 1.1.1. Our openssl related tests PASS using the patched httpd. The test also verifies the DHE prime length is at least 2048 bits.
Committed r1916863 to trunk.
thanks for the quick fix, Ruediger!
Hi Ruediger, many thanks for the fix. When do you plan a new httpd containing this fix?
Proposed for backport as r1917010.