Bug 522466

Summary: Certificate verification error occurs when using mod_ssl, mod_python, pyxmlsec
Product: [Fedora] Fedora EPEL Reporter: Yoshinori KUNIGA <ykuniga>
Component: pyxmlsecAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: lkundrak, ykuniga
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-06 10:30:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Yoshinori KUNIGA 2009-09-10 12:10:04 UTC
Description of problem:
When I use mod_ssl and mod_python and pyxmlsec, certificate
verification error occurs.  I found a procedure to reproduce but root
cause is not yet unidentified.  Maybe my configuration or test code is
wrong.

Version-Release number of selected component (if applicable):
  httpd-2.2.3-31.el5
  mod_ssl-2.2.3-31.el5
  mod_python-3.2.8-3.1
  pyxmlsec-0.3.0-3.el5

How reproducible:
  Always

Steps to Reproduce:
1. Modify httpd.conf and ssl.conf.

--- conf/httpd.conf.orig	2009-07-15 22:04:42.000000000 +0900
+++ conf/httpd.conf	2009-09-10 20:18:27.000000000 +0900
@@ -100,7 +100,7 @@
 <IfModule prefork.c>
-StartServers       8
-MinSpareServers    5
-MaxSpareServers   20
-ServerLimit      256
-MaxClients       256
+StartServers       1
+MinSpareServers    1
+MaxSpareServers    1
+ServerLimit        1
+MaxClients         1
 MaxRequestsPerChild  4000
@@ -209,3 +209,6 @@
 #
-Include conf.d/*.conf
+#Include conf.d/*.conf
+Include conf.d/python.conf
+Include conf.d/ssl.conf
+Include conf.d/ssl_crypto.conf
 
--- conf.d/ssl.conf.orig	2009-07-06 18:31:47.000000000 +0900
+++ conf.d/ssl.conf	2009-09-10 18:11:01.000000000 +0900
@@ -43,3 +43,4 @@
 SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout  300
+SSLSessionCacheTimeout  3
+#SSLSessionCache         none
 
@@ -134,2 +135,3 @@
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+SSLCACertificateFile /etc/pki/tls/certs/cacert.pem
 
@@ -140,4 +142,4 @@
 #   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
+SSLVerifyClient require
+SSLVerifyDepth  1


2. Create files for test.

==> /etc/httpd/conf.d/ssl_crypto.conf <==
<Directory "/var/www/html/ssl_crypto/">
    AddHandler mod_python .py
    PythonHandler ssl_crypto
    PythonDebug On
</Directory>

==> /var/www/html/ssl_crypto/ssl_crypto.py <==
#!/usr/bin/python

from mod_python import apache
import xmlsec

def handler(req):

    req.content_type = "text/plain"
    req.write("Hello Test!\n")

    if xmlsec.init() < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
    if xmlsec.cryptoAppInit(None) < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
    if xmlsec.cryptoInit() < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR

    xmlsec.cryptoShutdown()
    xmlsec.cryptoAppShutdown()
    xmlsec.shutdown()

    return apache.OK


3. Install cacert.pem on web server.

4. Restart web server.

5. Install client certification file on web browser.

6. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py.

7. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py again.


Actual results:
Certificate verification error occurs.

Expected results:
Certificate verification error does not occurs.

Additional info:

Comment 1 Fedora End Of Life 2017-04-06 10:30:32 UTC
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5
is no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora
or Fedora EPEL, please feel free to reopen this bug against that version. If
you are unable to reopen this bug, please file a new report against the current
release. If you experience problems, please add a comment to this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.