Index | Thread | Search

From:
Mike Fischer <fischer+obsd@lavielle.com>
Subject:
Re: [fix] www/apache-httpd SNI problem
To:
ports@openbsd.org
Cc:
Theo Buehler <tb@theobuehler.org>
Date:
Thu, 11 Jul 2024 04:14:57 +0200

Download raw body.

Thread 
Hi Theo,


> Am 11.07.2024 um 03:47 schrieb Theo Buehler <tb@theobuehler.org>:
> 
> On Thu, Jul 11, 2024 at 03:32:20AM +0200, Mike Fischer wrote:
>> Any progress on this?
>> 
>> I just updated a server to apache-httpd-2.4.61 (from apache-httpd-2.4.59) and initial testing seems to indicate that this issue is now fixed? At least I was not able to trigger the bug on a host that has several VirtualHosts on the same IP/port combination with different certificates.
>> 
>> It would be great to have this confirmed (or disproved if that is the case) so that the partial workarounds we have put into place to avoid this issue can be reverted back to a more standard configuration.
>> 
>> OpenBSD 7.5 amd64
> 
> current or stable?

stable


> Shortly after the 7.5 release was cut, the extension handling was
> changed in such a way that apache-httpd will no longer run into this
> issue. This change is not in stable and won't be backported.

Hmm, ok. Good to know that this will be fixed in 7.6 at least. Thanks!


> If your servers are running on current, then this problem should be
> addressed. Otherwise, unless you find that apache-httpd 2.4.61 was
> changed to stop relying on this undocumented behavior (I haven't
> checked), I would recommend to leave the workarounds in place until
> you update to OpenBSD 7.6.

I have looked at the Apache httpd release notes [1], and there were several fixes relating to mod_ssl or TLS. But I could not determine whether any of them addresses this issue. Truth be told, I don’t really understand enough of the problem to even judge whether this this needs to be fixed in LibreSSL or mod_ssl or both ;-)

[1] https://downloads.apache.org/httpd/CHANGES_2.4


> 
>> Tested with Brave Browser Version 1.67.123 Chromium: 126.0.6478.126 (Official Build) (arm64)
> 
> I'm not sure if the randomization that exposes this problem is enabled
> on all builds on all platforms. You might have gotten lucky.

True. I’ll get some others to test this with different Chromium-based browsers. For now I’ll assume that I have gotten lucky in my tests.

I do know that I have triggered this issue with slightly older versions of Brave Browser in the past. So unless they changed something in their build it should still be possible. Too many moving parts to this problem ;-)


Thanks!
Mike