On Mon, Apr 17, 2023 at 12:29:31PM -0600, Jeff Ross wrote: > This is only tangentially related to OpenBSD...
It is related because it is a combination of how LibreSSL handles TLS extension calbacks with how apache2 chose to redirect requests to virtual hosts based on the server name indication. This now manifestes itself because chrome started rolling out an anti-fingerprinting and bug-finding feature that involves randomizing the order of TLS extensions. They started rolling out this feature on Windows and add it to more platforms over time, which likely explains why that issue now shows up on some android phones as well. One part of the problem is that LibreSSL calls callbacks directly on reading an extension so that the (undocumented) order in which callbacks are called depends on the order in which TLS extensions are sent. The other part is that apache2 depends on having information from the SNI available when the ALPN callback is called. So if the ALPN extension precedes the SNI, the request will fail, otherwise it works as expected. To my knowledge this manifests itself only with virtual hosts in apache2. jsing and I know where the problem is and we know of several approaches how to avoid it. As always, the issue is that someone needs to sit down do it. Since this only affects one specific web server software it's not especially high on the list of priorities. More details and a link is in this mail and mor can be found in the thread: https://marc.info/?l=openbsd-ports&m=167577915605727&w=2 > My web server is running OpenBSD 6.8 (yes, I know) using apache2 and > letsencrypt certificates. The fix will not be extremely complicated and if we land it soon, it will be easy to backport to 7.3. It will definitely not be easy to backport it to 6.8... > If anyone else out there is getting this error or has gotten this error and > figured out a workaround I'd love to hear from you, either on or off list. Unless you are able to switch to a config not involving virtual hosts (in which case I believe the problem should not manifest but I'm not 100% certain about this) I am not aware of a workaround that only involves some config knobs.
