On Tue, Jul 25, 2023 at 2:46 PM Daniel Ferradal <dferra...@apache.org> wrote:
> > > > >>> [Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client >>> 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication >>> [Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library >>> Error: error:0A000117:SSL routines::extension not received >>> >> > This has nothing to do with your certificates, but with TLS protocol. > > This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox > and enable post-handshake authentication and that's why apache is telling > you that the extension is not being received as in firefox not sending it. > (look for handshake keyword). > > When a directory configuration is different from general TLS > configuration, such as when requiring a certificate in a subdirectory, a > renegotiation occurs. > > Being TLSv1.3, browsers such as Firefox have it disabled by default. If > your apache server only allows TLSv1.2 you won't have this issue. As per > the reason why browsers are doing this, can't remember it exactly what it > is, a google search should shed some light I guess. > > -- > Daniel Ferradal > HTTPD Project > #httpd help at Libera.Chat > The issue is discussed here... https://stackoverflow.com/questions/73590620/delayed-certificate-in-tls-1-3 It references RFC 8446... https://www.rfc-editor.org/rfc/rfc8446#section-4.2.6 And when I enable that "about:config" option in Firefox, does that work correctly with TLSv1.3? RFC 7540 explicitly forbids renegotiation after the actual HTTP/2 protocol (inside the TLS) has been started. https://www.rfc-editor.org/rfc/rfc7540#section-9.2.1 Landon
