Bug#950300: mod-gnutls: apache CVE-2019-10092 fix causes FTBFS

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#950300: mod-gnutls: apache CVE-2019-10092 fix causes FTBFS
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 31 Jan 2020 08:18:58 +0200
Message-id: <[🔎] 158045153846.15457.15998340385005455905.reportbug@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 950300@bugs.debian.org
Source: mod-gnutls
Version: 0.8.2-3
Severity: serious
Tags: ftbfs

mod-gnutls appears to rely on the exact wording of apache
error messages, and these changed with CVE-2019-10092.

https://buildd.debian.org/status/package.php?p=mod-gnutls&suite=stretch
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mod-gnutls.html

...
FAIL: test-18_client_verification_wrong_cert
============================================

TESTING: 18_client_verification_wrong_cert
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:11.674982 2020] [gnutls:debug] [pid 45519:tid 139910356628608] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 1.910177 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Successfully sent 1 certificate(s) to server.
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
	Public Key ID:
		sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
		sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
	Public Key PIN:
		pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 403 Forbidden
Date: Mon, 27 Jan 2020 19:56:11 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 199
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
45530 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/18_client_verification_wrong_cert/output	2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63	2020-01-27 07:56:11.809997988 -1200
@@ -1,7 +1,7 @@
+<html><head>
+<title>403 Forbidden</title>
 </head><body>
 <h1>Forbidden</h1>
-<p>You don't have permission to access /test.txt
-on this server.<br />
-</p>
+<p>You don't have permission to access this resource.</p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 18_client_verification_wrong_cert
[Mon Jan 27 07:56:11.869868 2020] [gnutls:debug] [pid 45630:tid 139891390706816] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_18_client_verification_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Apache error logs:
[Mon Jan 27 07:56:11.697229 2020] [mpm_worker:debug] [pid 45520:tid 139910356628608] worker.c(1758): AH00294: Accept mutex: sysvsem (default: sysvsem)
[Mon Jan 27 07:56:11.697257 2020] [watchdog:debug] [pid 45523:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Mon Jan 27 07:56:11.697509 2020] [watchdog:debug] [pid 45525:tid 139910356628608] mod_watchdog.c(567): AH02980: Watchdog: nothing configured?
[Mon Jan 27 07:56:11.710332 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1072): [client 127.0.0.1:43624] early_sni_hook: Selected virtual host localhost from early SNI, connection server is localhost.
[Mon Jan 27 07:56:11.785399 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(535): [client 127.0.0.1:43624] mgs_filter_input: TLS connection opened.
[Mon Jan 27 07:56:11.785673 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1652): [client 127.0.0.1:43624] GnuTLS: A Chain of 1 certificate(s) was provided for validation
[Mon Jan 27 07:56:11.785899 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_hooks.c(1694): [client 127.0.0.1:43624] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel'
[Mon Jan 27 07:56:11.785946 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Could not find Signer for Peer Certificate
[Mon Jan 27 07:56:11.785955 2020] [gnutls:info] [pid 45523:tid 139910314034944] [client 127.0.0.1:43624] GnuTLS: Peer Certificate is invalid.
[Mon Jan 27 07:56:11.786301 2020] [gnutls:debug] [pid 45523:tid 139910314034944] gnutls_io.c(501): [client 127.0.0.1:43624] mgs_bye: TLS connection closed.
FAIL test-18_client_verification_wrong_cert.bash (exit status: 1)

FAIL: test-21_TLS_reverse_proxy_wrong_cert
==========================================

TESTING: 21_TLS_reverse_proxy_wrong_cert
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:46.488371 2020] [gnutls:debug] [pid 49170:tid 139781586056320] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 34.445301 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:46.547662 2020] [gnutls:debug] [pid 49173:tid 140479489176704] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 0.000008 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
	Public Key ID:
		sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
		sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
	Public Key PIN:
		pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:46 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49287 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/21_TLS_reverse_proxy_wrong_cert/output	2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63	2020-01-27 07:56:46.688791422 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 21_TLS_reverse_proxy_wrong_cert
[Mon Jan 27 07:56:46.753779 2020] [gnutls:debug] [pid 49361:tid 139691557057664] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
[Mon Jan 27 07:56:46.822503 2020] [gnutls:debug] [pid 49369:tid 140406477767808] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_21_TLS_reverse_proxy_wrong_cert_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Apache error logs:
[Mon Jan 27 07:56:46.645053 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2578): [client 127.0.0.1:43688] AH00947: connected /test.txt to localhost:9934
[Mon Jan 27 07:56:46.645210 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:46.645288 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:46.665621 2020] [:warn] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The name in the certificate does not match the expected. 
[Mon Jan 27 07:56:46.665655 2020] [gnutls:info] [pid 49261:tid 140479387662080] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.'
[Mon Jan 27 07:56:46.665812 2020] [proxy_http:error] [pid 49261:tid 140479387662080] (103)Software caused connection abort: [client 127.0.0.1:43688] AH01102: error reading status line from remote server localhost:9934
[Mon Jan 27 07:56:46.665841 2020] [proxy_http:debug] [pid 49261:tid 140479387662080] mod_proxy_http.c(1351): [client 127.0.0.1:43688] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed.
[Mon Jan 27 07:56:46.665852 2020] [proxy:error] [pid 49261:tid 140479387662080] [client 127.0.0.1:43688] AH00898: Error reading from remote server returned by /proxy/test.txt
[Mon Jan 27 07:56:46.665859 2020] [proxy:debug] [pid 49261:tid 140479387662080] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:46.666119 2020] [gnutls:debug] [pid 49261:tid 140479387662080] gnutls_io.c(501): [client 127.0.0.1:43688] mgs_bye: TLS connection closed.
FAIL test-21_TLS_reverse_proxy_wrong_cert.bash (exit status: 1)

FAIL: test-22_TLS_reverse_proxy_crl_revoke
==========================================

TESTING: 22_TLS_reverse_proxy_crl_revoke
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:48.231239 2020] [gnutls:debug] [pid 49371:tid 140485312394368] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 34.604586 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:48.297053 2020] [gnutls:debug] [pid 49398:tid 140570227635328] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 0.000011 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
	Public Key ID:
		sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
		sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
	Public Key PIN:
		pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:48 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49469 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/22_TLS_reverse_proxy_crl_revoke/output	2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63	2020-01-27 07:56:48.456730263 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 22_TLS_reverse_proxy_crl_revoke
[Mon Jan 27 07:56:48.515754 2020] [gnutls:debug] [pid 49563:tid 140030353167488] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
[Mon Jan 27 07:56:48.584173 2020] [gnutls:debug] [pid 49571:tid 140202088002688] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_22_TLS_reverse_proxy_crl_revoke_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Apache error logs:
[Mon Jan 27 07:56:48.412814 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2578): [client 127.0.0.1:43692] AH00947: connected /test.txt to localhost:9934
[Mon Jan 27 07:56:48.412931 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:48.413000 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:48.435327 2020] [:warn] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] gtls_check_server_cert: The certificate is NOT trusted. The certificate chain is revoked. 
[Mon Jan 27 07:56:48.435348 2020] [gnutls:info] [pid 49466:tid 140570102060800] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-43) 'Error in the certificate.'
[Mon Jan 27 07:56:48.435462 2020] [proxy_http:error] [pid 49466:tid 140570102060800] (103)Software caused connection abort: [client 127.0.0.1:43692] AH01102: error reading status line from remote server localhost:9934
[Mon Jan 27 07:56:48.435503 2020] [proxy_http:debug] [pid 49466:tid 140570102060800] mod_proxy_http.c(1351): [client 127.0.0.1:43692] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed.
[Mon Jan 27 07:56:48.435513 2020] [proxy:error] [pid 49466:tid 140570102060800] [client 127.0.0.1:43692] AH00898: Error reading from remote server returned by /proxy/test.txt
[Mon Jan 27 07:56:48.435519 2020] [proxy:debug] [pid 49466:tid 140570102060800] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:48.435726 2020] [gnutls:debug] [pid 49466:tid 140570102060800] gnutls_io.c(501): [client 127.0.0.1:43692] mgs_bye: TLS connection closed.
FAIL test-22_TLS_reverse_proxy_crl_revoke.bash (exit status: 1)

FAIL: test-23_TLS_reverse_proxy_mismatched_priorities
=====================================================

TESTING: 23_TLS_reverse_proxy_mismatched_priorities
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"
[Mon Jan 27 07:56:44.735239 2020] [gnutls:debug] [pid 48957:tid 140513797600384] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 29.468541 seconds
flock: executing /usr/sbin/apache2
[Mon Jan 27 07:56:44.806930 2020] [gnutls:debug] [pid 48960:tid 140579053433984] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
flock: getting lock took 0.000011 seconds
flock: executing /usr/sbin/apache2
Processed 1 CA certificate(s).
Resolving 'localhost:9932'...
Connecting to '127.0.0.1:9932'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=localhost', issuer `CN=Testing Authority', serial 0x22fff0d9, RSA key 3072 bits, signed using RSA-SHA256, activated `2020-01-27 19:56:05 UTC', expires `2021-01-26 19:56:05 UTC', pin-sha256="ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE="
	Public Key ID:
		sha1:7bb678f9fe68cd7ed0fd1df39e9aebad4eee2b94
		sha256:4a1a8c07bd33f6231138d7a374bfbabfdf077c4c69669fda5a2ea75f30fabc91
	Public Key PIN:
		pin-sha256:ShqMB70z9iMRONejdL+6v98HfExpZp/aWi6nXzD6vJE=

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

HTTP/1.1 502 Proxy Error
Date: Mon, 27 Jan 2020 19:56:44 GMT
Server: Apache/2.4.38 (Debian) mod_gnutls/0.9.0 GnuTLS/3.6.7
Content-Length: 341
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
</body></html>
- Peer has closed the GnuTLS connection
  PID TTY          TIME CMD
49064 ?        00:00:00 sleep
--- /build/mod-gnutls-0.9.0/test/tests/23_TLS_reverse_proxy_mismatched_priorities/output	2017-02-28 07:05:55.000000000 -1200
+++ /dev/fd/63	2020-01-27 07:56:44.936852027 -1200
@@ -1,5 +1,6 @@
+
 HTTP/1.1 502 Proxy Error
-Content-Length: 407
+Content-Length: 341
 Connection: close
 Content-Type: text/html; charset=iso-8859-1
 
@@ -10,7 +11,6 @@
 <h1>Proxy Error</h1>
 <p>The proxy server received an invalid
 response from an upstream server.<br />
-The proxy server could not handle the request <em><a href="/proxy/test.txt">GET&nbsp;/proxy/test.txt</a></em>.<p>
-Reason: <strong>Error reading from remote server</strong></p></p>
+The proxy server could not handle the request<p>Reason: <strong>Error reading from remote server</strong></p></p>
 </body></html>
 - Peer has closed the GnuTLS connection
FAILURE: 23_TLS_reverse_proxy_mismatched_priorities
[Mon Jan 27 07:56:44.997278 2020] [gnutls:debug] [pid 49148:tid 140644500755584] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
[Mon Jan 27 07:56:45.068445 2020] [gnutls:debug] [pid 49156:tid 140440329122944] gnutls_cache.c(354): mgs_cache_inst_config: Socache 'shmcb:cache/gnutls_cache_23_TLS_reverse_proxy_mismatched_priorities_backend(65536)' created.
AH00557: apache2: apr_sockaddr_info_get() failed for profitbricks-build11-amd64
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

Apache error logs:
[Mon Jan 27 07:56:44.909088 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2578): [client 127.0.0.1:43684] AH00947: connected /test.txt to localhost:9934
[Mon Jan 27 07:56:44.909229 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3047): AH02824: HTTPS: connection established with 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:44.909304 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(3215): AH00962: HTTPS: connection complete to 127.0.0.1:9934 (localhost)
[Mon Jan 27 07:56:44.911004 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Alert (40) 'Handshake failed'.
[Mon Jan 27 07:56:44.911023 2020] [gnutls:info] [pid 49049:tid 140579019003648] [remote 127.0.0.1:9934] GnuTLS: Handshake Failed (-12) 'A TLS fatal alert has been received.'
[Mon Jan 27 07:56:44.911150 2020] [proxy_http:error] [pid 49049:tid 140579019003648] (103)Software caused connection abort: [client 127.0.0.1:43684] AH01102: error reading status line from remote server localhost:9934
[Mon Jan 27 07:56:44.911188 2020] [proxy_http:debug] [pid 49049:tid 140579019003648] mod_proxy_http.c(1351): [client 127.0.0.1:43684] AH01105: NOT Closing connection to client although reading from backend server localhost:9934 failed.
[Mon Jan 27 07:56:44.911199 2020] [proxy:error] [pid 49049:tid 140579019003648] [client 127.0.0.1:43684] AH00898: Error reading from remote server returned by /proxy/test.txt
[Mon Jan 27 07:56:44.911207 2020] [proxy:debug] [pid 49049:tid 140579019003648] proxy_util.c(2331): AH00943: HTTPS: has released connection for (localhost)
[Mon Jan 27 07:56:44.911520 2020] [gnutls:debug] [pid 49049:tid 140579019003648] gnutls_io.c(501): [client 127.0.0.1:43684] mgs_bye: TLS connection closed.
FAIL test-23_TLS_reverse_proxy_mismatched_priorities.bash (exit status: 1)

============================================================================
Testsuite summary for mod_gnutls 0.9.0
============================================================================
# TOTAL: 35
# PASS:  31
# SKIP:  0
# XFAIL: 0
# FAIL:  4
# XPASS: 0
# ERROR: 0
============================================================================
See test/test-suite.log
============================================================================
make[6]: *** [Makefile:1093: test-suite.log] Error 1
Reply to:
Prev by Date: Het tweede verborgen geheim
Previous by thread: Het tweede verborgen geheim
Index(es):
- Date
- Thread