带有openssl 1.1.1的Apache 2.4.37:无法执行握手后身份验证 [英] Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication

问题描述

我将apache更新至最新版本2.4.37，并将openssl升级至1.1.1，现在，当客户端通过身份验证时，我仅在Firefox 63上会收到此错误，而在Chrome浏览器中则没有:

I updated apache to last version 2.4.37 and openssl to 1.1.1 and now, when client authenticates, I get this error only with Firefox 63, but not in Chrome:

[ssl:error] AH: verify client post handshake, referer: https://******/login
[ssl:error] AH10158: cannot perform post-handshake authentication, referer: https://******/login
[ssl:error]SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

我使用wireshark尝试查找问题，并且我了解Firefox使用TLS 1.3，而Chrome使用TLS 1.2.实际上，如果我将FF中的TLS最大版本设置为TLS 1.2，则可以正常工作.

I used wireshark to try to find the problem, and I apreciate Firefox uses TLS 1.3, while Chrome uses TLS 1.2. In fact, if I set TLS max version in FF to TLS 1.2, it works fine.

我想获得TLS 1.3的兼容性，或者如果无法实现，则要强制在我的Apache配置中，客户端始终使用TLS 1.2，但我没有::(

I would like to get TLS 1.3 compatibility or, if it is not yet possible, to force, in my Apache configuration, the client always uses TLS 1.2, but I don't get it :(

这是我的Apache vhost配置文件:

This is my apache vhost config file:

[...]

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/server.crt
SSLCertificateKeyFile   /etc/apache2/ssl/server.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
SSLCACertificateFile /etc/apache2/ssl/ca.pem
SSLVerifyDepth 3
SSLProtocol TLSv1.2
SSLHonorCipherOrder on

<Directory /var/www/html/>
    Options -Indexes +FollowSymLinks -MultiViews
    AllowOverride All
    Order deny,allow
    Allow from 10.55.12.0/24
    Deny from all
</Directory>

<Files "login-ssl.php">
    SSLVerifyClient optional
    SSLOptions +StdEnvVars +StrictRequire
</Files>

[...]

请问有人可以帮我吗?

谢谢.


已编辑

我找到了解决方案.SSLProtocol指令应位于/etc/apache2/mods-enabled/ssl.conf中.

I found the solution. SSLProtocol directive should be in /etc/apache2/mods-enabled/ssl.conf.

推荐答案

问题是Firefox不支持TLS 1.3握手后身份验证.我已通过 https://bugzilla.mozilla.org/show_bug向Firefox报告了此问题.cgi?id = 1511989

The problem is that Firefox doesn't support TLS 1.3 post-handshake authentication. I've reported this issue to Firefox at https://bugzilla.mozilla.org/show_bug.cgi?id=1511989

我不是在这里建议解决方法或修复；我只是告诉其他访问该页面的人(在搜索结果中此错误消息的显示很高)，随着Firefox努力解决此问题，情况是什么以及在哪里可以找到最新信息.

I'm not suggesting a workaround or fix here; I'm merely telling others who come across this page (as it is high up for this error message in the search results) what the situation is and where to find the latest information as Firefox works to resolve this issue.

这篇关于带有openssl 1.1.1的Apache 2.4.37:无法执行握手后身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！