Source: mod-gnutls Version: 0.8.2-3 Severity: serious Tags: ftbfs mod-gnutls appears to rely on the exact wording of apache error messages, and these changed with CVE-2019-10092.
https://buildd.debian.org/status/package.php?p=mod-gnutls&suite=stretch https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mod-gnutls.html ... FAIL: test-18_client_verification_wrong_cert ============================================ TESTING: 18_client_verification_wrong_cert Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:11.674982 2020] [gnutls:debug] [pid 45519:tid 139910356628608] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 1.910177 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Processed 1 client X.509 certificates... Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Successfully sent 1 certificate(s) to server. - Server has requested a certificate. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 403 Forbidden Date: Mon, 27 Jan 2020 19:56:11 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 199 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 45530 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/18_client_verification_wrong_cert/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:11.809997988 -1200 @@ -1,7 +1,7 @@ +<html><head> +<title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> -<p>You don't have permission to access /test.txt -on this server.<br /> -</p> +<p>You don't have permission to access this resource.</p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 18_client_verification_wrong_cert [Mon Jan 27 07:56:11.869868 2020] [gnutls:debug] [pid 45630:tid 139891390706816] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:11.697229 2020] [mpm_worker:debug] [pid 45520:tid 139910356628608] worker.c(1758): AH00294: Accept mutex: sysvsem (default: sysvsem) [Mon Jan 27 07:56:11.697257 2020] [watchdog:debug] [pid 45523:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured? [Mon Jan 27 07:56:11.697509 2020] [watchdog:debug] [pid 45525:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured? [Mon Jan 27 07:56:11.710332 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1072): [client 127.0.0.1:43624] early_sni_hook: Selected virtual host localhost from early SNI, connection server is localhost. [Mon Jan 27 07:56:11.785399 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(535): [client 127.0.0.1:43624] mgs_filter_input: TLS connection opened. [Mon Jan 27 07:56:11.785673 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1652): [client 127.0.0.1:43624] GnuTLS: A Chain of 1 certificate(s) was provided for validation [Mon Jan 27 07:56:11.785899 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1694): [client 127.0.0.1:43624] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel' [Mon Jan 27 07:56:11.785946 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Could not find Signer for Peer Certificate [Mon Jan 27 07:56:11.785955 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Peer Certificate is invalid. [Mon Jan 27 07:56:11.786301 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(501): [client 127.0.0.1:43624] mgs_bye: TLS connection closed. FAIL test-18_client_verification_wrong_cert.bash (exit status: 1) FAIL: test-21_TLS_reverse_proxy_wrong_cert ========================================== TESTING: 21_TLS_reverse_proxy_wrong_cert Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:46.488371 2020] [gnutls:debug] [pid 49170:tid 139781586056320] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 34.445301 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:46.547662 2020] [gnutls:debug] [pid 49173:tid 140479489176704] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000008 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:46 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49287 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/21_TLS_reverse_proxy_wrong_cert/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:46.688791422 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 21_TLS_reverse_proxy_wrong_cert [Mon Jan 27 07:56:46.753779 2020] [gnutls:debug] [pid 49361:tid 139691557057664] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:46.822503 2020] [gnutls:debug] [pid 49369:tid 140406477767808] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:46.645053 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2578): [client 127.0.0.1:43688] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:46.645210 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:46.645288 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:46.665621 2020] [:warn] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The name in the certificate does not match the expected. [Mon Jan 27 07:56:46.665655 2020] [gnutls:info] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.' [Mon Jan 27 07:56:46.665812 2020] [proxy_http:error] [pid 49261:tid 140479387662080] (103)Software caused connection abort: [client 127.0.0.1:43688] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:46.665841 2020] [proxy_http:debug] [pid 49261:tid 140479387662080] mod_proxy_http.c(1351): [client 127.0.0.1:43688] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:46.665852 2020] [proxy:error] [pid 49261:tid 140479387662080] [client 127.0.0.1:43688] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:46.665859 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:46.666119 2020] [gnutls:debug] [pid 49261:tid 140479387662080] gnutls_io.c(501): [client 127.0.0.1:43688] mgs_bye: TLS connection closed. FAIL test-21_TLS_reverse_proxy_wrong_cert.bash (exit status: 1) FAIL: test-22_TLS_reverse_proxy_crl_revoke ========================================== TESTING: 22_TLS_reverse_proxy_crl_revoke Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:48.231239 2020] [gnutls:debug] [pid 49371:tid 140485312394368] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 34.604586 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:48.297053 2020] [gnutls:debug] [pid 49398:tid 140570227635328] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000011 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:48 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49469 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/22_TLS_reverse_proxy_crl_revoke/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:48.456730263 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 22_TLS_reverse_proxy_crl_revoke [Mon Jan 27 07:56:48.515754 2020] [gnutls:debug] [pid 49563:tid 140030353167488] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:48.584173 2020] [gnutls:debug] [pid 49571:tid 140202088002688] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:48.412814 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2578): [client 127.0.0.1:43692] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:48.412931 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:48.413000 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:48.435327 2020] [:warn] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The certificate chain is revoked. [Mon Jan 27 07:56:48.435348 2020] [gnutls:info] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.' [Mon Jan 27 07:56:48.435462 2020] [proxy_http:error] [pid 49466:tid 140570102060800] (103)Software caused connection abort: [client 127.0.0.1:43692] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:48.435503 2020] [proxy_http:debug] [pid 49466:tid 140570102060800] mod_proxy_http.c(1351): [client 127.0.0.1:43692] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:48.435513 2020] [proxy:error] [pid 49466:tid 140570102060800] [client 127.0.0.1:43692] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:48.435519 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:48.435726 2020] [gnutls:debug] [pid 49466:tid 140570102060800] gnutls_io.c(501): [client 127.0.0.1:43692] mgs_bye: TLS connection closed. FAIL test-22_TLS_reverse_proxy_crl_revoke.bash (exit status: 1) FAIL: test-23_TLS_reverse_proxy_mismatched_priorities ===================================================== TESTING: 23_TLS_reverse_proxy_mismatched_priorities Server version: Apache/2.4.38 (Debian) Server built: 2019-10-15T19:53:42 Server's Module Magic Number: 20120211:84 Server loaded: APR 1.6.5, APR-UTIL 1.6.1 Compiled using: APR 1.6.5, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" [Mon Jan 27 07:56:44.735239 2020] [gnutls:debug] [pid 48957:tid 140513797600384] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 29.468541 seconds flock: executing /usr/sbin/apache2 [Mon Jan 27 07:56:44.806930 2020] [gnutls:debug] [pid 48960:tid 140579053433984] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message flock: getting lock took 0.000011 seconds flock: executing /usr/sbin/apache2 Processed 1 CA certificate(s). Resolving 'localhost:9932'... Connecting to '127.0.0.1:9932'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=" Public Key ID: sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94 sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91 Public Key PIN: pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE= - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: HTTP/1.1 502 Proxy Error Date: Mon, 27 Jan 2020 19:56:44 GMT Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7 Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection PID TTY TIME CMD 49064 ? 00:00:00 sleep --- /build/mod-gnutls-0.9.0/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output 2017-02-28 07:05:55.000000000 -1200 +++ /dev/fd/63 2020-01-27 07:56:44.936852027 -1200 @@ -1,5 +1,6 @@ + HTTP/1.1 502 Proxy Error -Content-Length: 407 +Content-Length: 341 Connection: close Content-Type: text/html; charset=iso-8859-1 @@ -10,7 +11,6 @@ <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> -The proxy server could not handle the request <em><a href="/proxy/test.txt">GET /proxy/test.txt</a></em>.<p> -Reason: <strong>Error reading from remote server</strong></p></p> +The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p> </body></html> - Peer has closed the GnuTLS connection FAILURE: 23_TLS_reverse_proxy_mismatched_priorities [Mon Jan 27 07:56:44.997278 2020] [gnutls:debug] [pid 49148:tid 140644500755584] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message [Mon Jan 27 07:56:45.068445 2020] [gnutls:debug] [pid 49156:tid 140440329122944] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created. AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Apache error logs: [Mon Jan 27 07:56:44.909088 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2578): [client 127.0.0.1:43684] AH00947: connected /test.txt to localhost:9934 [Mon Jan 27 07:56:44.909229 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:44.909304 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost) [Mon Jan 27 07:56:44.911004 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Alert (40) 'Handshake failed'. [Mon Jan 27 07:56:44.911023 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.' [Mon Jan 27 07:56:44.911150 2020] [proxy_http:error] [pid 49049:tid 140579019003648] (103)Software caused connection abort: [client 127.0.0.1:43684] AH01102: error reading status line from remote server localhost:9934 [Mon Jan 27 07:56:44.911188 2020] [proxy_http:debug] [pid 49049:tid 140579019003648] mod_proxy_http.c(1351): [client 127.0.0.1:43684] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed. [Mon Jan 27 07:56:44.911199 2020] [proxy:error] [pid 49049:tid 140579019003648] [client 127.0.0.1:43684] AH00898: Error reading from remote server returned by /proxy/test.txt [Mon Jan 27 07:56:44.911207 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost) [Mon Jan 27 07:56:44.911520 2020] [gnutls:debug] [pid 49049:tid 140579019003648] gnutls_io.c(501): [client 127.0.0.1:43684] mgs_bye: TLS connection closed. FAIL test-23_TLS_reverse_proxy_mismatched_priorities.bash (exit status: 1) ============================================================================ Testsuite summary for mod_gnutls 0.9.0 ============================================================================ # TOTAL: 35 # PASS: 31 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 0 ============================================================================ See test/test-suite.log ============================================================================ make[6]: *** [Makefile:1093: test-suite.log] Error 1
