Authenticated Origin Pulls stopped working with Apache on Ubuntu 18.04.2

My Apache webserver rebooted itself during off hours to complete software updates, and after that authenticated origin pulls seem to have stopped working. I was getting error 525, handshake error.

A workaround for me is not using authenticated origin pulls on that particular server for now.

OpenSSL got updated from 1.1.0g-2ubuntu4.3 to 1.1.1-1ubuntu2.1 but downgrading didn’t fix the issue
libssl1.1 got updated from 1.1.0g-2ubuntu4.3 to 1.1.1-1ubuntu2.1~18.04.1 but downgrading didn’t fix the issue

So I’m at a bit of a loss. Does anyone know what might be happening? Other servers I have use nginx and are not having trouble with using authenticated origin pulls.

I figured I’d try debugging this during off hours

    [Thu Jun 13 02:23:11.170479 2019] [ssl:debug] [pid 2543] ssl_engine_kernel.c(1585): [client 172.69.146.69:34726] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=origin-pull.cloudflare.net,ST=California,L=San Francisco,OU=Origin Pull,O=CloudFlare\\, Inc.,C=US / issuer: CN=origin-pull.cloudflare.net,ST=California,L=San Francisco,OU=Origin Pull,O=CloudFlare\\, Inc.,C=US / serial: 5791BA9556C22E61 / notbefore: Jan 13 02:47:53 2015 GMT / notafter: Jan 12 02:52:53 2020 GMT]
    [Thu Jun 13 02:23:11.170692 2019] [ssl:debug] [pid 2543] ssl_engine_kernel.c(1585): [client 172.69.146.69:34726] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: OU=Origin Pull,O=Cloudflare\\, Inc.,L=San Francisco,ST=California,C=US / issuer: CN=origin-pull.cloudflare.net,ST=California,L=San Francisco,OU=Origin Pull,O=CloudFlare\\, Inc.,C=US / serial: 5716865525E972A3C394C4E066166CCCEB2CB94D / notbefore: Oct 30 18:01:00 2018 GMT / notafter: Oct 30 18:01:00 2019 GMT]
    [Thu Jun 13 02:23:11.171988 2019] [socache_shmcb:debug] [pid 2543] mod_socache_shmcb.c(557): AH00837: socache_shmcb_remove (0x01 -> subcache 1)
    [Thu Jun 13 02:23:11.171998 2019] [socache_shmcb:debug] [pid 2543] mod_socache_shmcb.c(571): AH00839: leaving socache_shmcb_remove successfully
    [Thu Jun 13 02:23:11.172035 2019] [ssl:info] [pid 2543] [client 172.69.146.69:34726] AH02008: SSL library error 1 in handshake (server xxx:443)
    [Thu Jun 13 02:23:11.172048 2019] [ssl:info] [pid 2543] SSL Library Error: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve

The wrong curve is interesting. My mod_ssl.c config had one curve configured:
SSLOpenSSLConfCmd ECDHParameters secp384r1
Commenting that out and using the default curve configuration solved the issue. Weird that it’s happening now after working for months, and only failing on Apache not on nginx.

I’m guessing there’s a problem with the way Apache announces supported curves, or something happened that caused a problem with the way SSLOpenSSLConfCmd works.

I might try narrowing down the curves later on, but for now I have authenticated origin pulls working.

This topic was automatically closed after 30 days. New replies are no longer allowed.