Re: Re: Apache2 certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Tue, Jul 25, 2023 at 2:46 PM Daniel Ferradal <dferradal@xxxxxxxxxx> wrote:




[Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
[Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library Error: error:0A000117:SSL routines::extension not received
 
This has nothing to do with your certificates, but with TLS protocol.

This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox and enable post-handshake authentication and that's why apache is telling you that the extension is not being received as in firefox not sending it. (look for handshake keyword).

When a directory configuration is different from general TLS configuration, such as when requiring a certificate in a subdirectory, a renegotiation occurs.

Being TLSv1.3, browsers such as Firefox have it disabled by default. If your apache server only allows TLSv1.2 you won't have this issue. As per the reason why browsers are doing this, can't remember it exactly what it is, a google search should shed some light I guess.

--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

The issue is discussed here...

https://stackoverflow.com/questions/73590620/delayed-certificate-in-tls-1-3

It references RFC 8446...
https://www.rfc-editor.org/rfc/rfc8446#section-4.2.6


And when I enable that "about:config" option in Firefox, does that work correctly with TLSv1.3?

RFC 7540 explicitly forbids renegotiation after the actual HTTP/2 protocol (inside the TLS) has been started.
https://www.rfc-editor.org/rfc/rfc7540#section-9.2.1

Landon

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux