On 4/17/23 4:10 PM, Theo Buehler wrote:
On Mon, Apr 17, 2023 at 12:29:31PM -0600, Jeff Ross wrote:
This is only tangentially related to OpenBSD...
It is related because it is a combination of how LibreSSL handles TLS
extension calbacks with how apache2 chose to redirect requests to
virtual hosts based on the server name indication. This now manifestes
itself because chrome started rolling out an anti-fingerprinting and
bug-finding feature that involves randomizing the order of TLS
extensions. They started rolling out this feature on Windows and add it
to more platforms over time, which likely explains why that issue now
shows up on some android phones as well.
One part of the problem is that LibreSSL calls callbacks directly on
reading an extension so that the (undocumented) order in which callbacks
are called depends on the order in which TLS extensions are sent.
The other part is that apache2 depends on having information from the
SNI available when the ALPN callback is called. So if the ALPN extension
precedes the SNI, the request will fail, otherwise it works as expected.
To my knowledge this manifests itself only with virtual hosts in
apache2. jsing and I know where the problem is and we know of several
approaches how to avoid it. As always, the issue is that someone needs
to sit down do it. Since this only affects one specific web server
software it's not especially high on the list of priorities.
More details and a link is in this mail and mor can be found in the
thread:
https://marc.info/?l=openbsd-ports&m=167577915605727&w=2
My web server is running OpenBSD 6.8 (yes, I know) using apache2 and
letsencrypt certificates.
The fix will not be extremely complicated and if we land it soon, it
will be easy to backport to 7.3. It will definitely not be easy to
backport it to 6.8...
If anyone else out there is getting this error or has gotten this error and
figured out a workaround I'd love to hear from you, either on or off list.
Unless you are able to switch to a config not involving virtual hosts
(in which case I believe the problem should not manifest but I'm not
100% certain about this) I am not aware of a workaround that only
involves some config knobs.
Thank you Theo for the comprehensive explanation.
I might actually be able to split that specific domain off to its own
IP--my server has 2 em ports and I'm only using 1 of them.
If this is apache2 only it might be time for me to explore moving to
nginx or OpenBSD's stock httpd. I have a few sites using
drupal/backdrop and the lack of a redirect has been the stopper there to
prevent an easy transition.
I'm also going to bite the bullet and get that server updated.
Thanks again!
Jeff
