Bug 522466 - Certificate verification error occurs when using mod_ssl, mod_python, pyxmlsec
Summary: Certificate verification error occurs when using mod_ssl, mod_python, pyxmlsec
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: pyxmlsec
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-10 12:10 UTC by Yoshinori KUNIGA
Modified: 2017-04-06 10:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-06 10:30:32 UTC


Attachments (Terms of Use)

Description Yoshinori KUNIGA 2009-09-10 12:10:04 UTC
Description of problem:
When I use mod_ssl and mod_python and pyxmlsec, certificate
verification error occurs.  I found a procedure to reproduce but root
cause is not yet unidentified.  Maybe my configuration or test code is
wrong.

Version-Release number of selected component (if applicable):
  httpd-2.2.3-31.el5
  mod_ssl-2.2.3-31.el5
  mod_python-3.2.8-3.1
  pyxmlsec-0.3.0-3.el5

How reproducible:
  Always

Steps to Reproduce:
1. Modify httpd.conf and ssl.conf.

--- conf/httpd.conf.orig	2009-07-15 22:04:42.000000000 +0900
+++ conf/httpd.conf	2009-09-10 20:18:27.000000000 +0900
@@ -100,7 +100,7 @@
 <IfModule prefork.c>
-StartServers       8
-MinSpareServers    5
-MaxSpareServers   20
-ServerLimit      256
-MaxClients       256
+StartServers       1
+MinSpareServers    1
+MaxSpareServers    1
+ServerLimit        1
+MaxClients         1
 MaxRequestsPerChild  4000
@@ -209,3 +209,6 @@
 #
-Include conf.d/*.conf
+#Include conf.d/*.conf
+Include conf.d/python.conf
+Include conf.d/ssl.conf
+Include conf.d/ssl_crypto.conf
 
--- conf.d/ssl.conf.orig	2009-07-06 18:31:47.000000000 +0900
+++ conf.d/ssl.conf	2009-09-10 18:11:01.000000000 +0900
@@ -43,3 +43,4 @@
 SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout  300
+SSLSessionCacheTimeout  3
+#SSLSessionCache         none
 
@@ -134,2 +135,3 @@
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+SSLCACertificateFile /etc/pki/tls/certs/cacert.pem
 
@@ -140,4 +142,4 @@
 #   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
+SSLVerifyClient require
+SSLVerifyDepth  1


2. Create files for test.

==> /etc/httpd/conf.d/ssl_crypto.conf <==
<Directory "/var/www/html/ssl_crypto/">
    AddHandler mod_python .py
    PythonHandler ssl_crypto
    PythonDebug On
</Directory>

==> /var/www/html/ssl_crypto/ssl_crypto.py <==
#!/usr/bin/python

from mod_python import apache
import xmlsec

def handler(req):

    req.content_type = "text/plain"
    req.write("Hello Test!\n")

    if xmlsec.init() < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
    if xmlsec.cryptoAppInit(None) < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
    if xmlsec.cryptoInit() < 0:
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR

    xmlsec.cryptoShutdown()
    xmlsec.cryptoAppShutdown()
    xmlsec.shutdown()

    return apache.OK


3. Install cacert.pem on web server.

4. Restart web server.

5. Install client certification file on web browser.

6. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py.

7. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py again.


Actual results:
Certificate verification error occurs.

Expected results:
Certificate verification error does not occurs.

Additional info:

Comment 1 Fedora End Of Life 2017-04-06 10:30:32 UTC
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5
is no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora
or Fedora EPEL, please feel free to reopen this bug against that version. If
you are unable to reopen this bug, please file a new report against the current
release. If you experience problems, please add a comment to this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.