Description of problem: When I use mod_ssl and mod_python and pyxmlsec, certificate verification error occurs. I found a procedure to reproduce but root cause is not yet unidentified. Maybe my configuration or test code is wrong. Version-Release number of selected component (if applicable): httpd-2.2.3-31.el5 mod_ssl-2.2.3-31.el5 mod_python-3.2.8-3.1 pyxmlsec-0.3.0-3.el5 How reproducible: Always Steps to Reproduce: 1. Modify httpd.conf and ssl.conf. --- conf/httpd.conf.orig 2009-07-15 22:04:42.000000000 +0900 +++ conf/httpd.conf 2009-09-10 20:18:27.000000000 +0900 @@ -100,7 +100,7 @@ <IfModule prefork.c> -StartServers 8 -MinSpareServers 5 -MaxSpareServers 20 -ServerLimit 256 -MaxClients 256 +StartServers 1 +MinSpareServers 1 +MaxSpareServers 1 +ServerLimit 1 +MaxClients 1 MaxRequestsPerChild 4000 @@ -209,3 +209,6 @@ # -Include conf.d/*.conf +#Include conf.d/*.conf +Include conf.d/python.conf +Include conf.d/ssl.conf +Include conf.d/ssl_crypto.conf --- conf.d/ssl.conf.orig 2009-07-06 18:31:47.000000000 +0900 +++ conf.d/ssl.conf 2009-09-10 18:11:01.000000000 +0900 @@ -43,3 +43,4 @@ SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) -SSLSessionCacheTimeout 300 +SSLSessionCacheTimeout 3 +#SSLSessionCache none @@ -134,2 +135,3 @@ #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +SSLCACertificateFile /etc/pki/tls/certs/cacert.pem @@ -140,4 +142,4 @@ # issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 +SSLVerifyClient require +SSLVerifyDepth 1 2. Create files for test. ==> /etc/httpd/conf.d/ssl_crypto.conf <== <Directory "/var/www/html/ssl_crypto/"> AddHandler mod_python .py PythonHandler ssl_crypto PythonDebug On </Directory> ==> /var/www/html/ssl_crypto/ssl_crypto.py <== #!/usr/bin/python from mod_python import apache import xmlsec def handler(req): req.content_type = "text/plain" req.write("Hello Test!\n") if xmlsec.init() < 0: raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR if xmlsec.cryptoAppInit(None) < 0: raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR if xmlsec.cryptoInit() < 0: raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR xmlsec.cryptoShutdown() xmlsec.cryptoAppShutdown() xmlsec.shutdown() return apache.OK 3. Install cacert.pem on web server. 4. Restart web server. 5. Install client certification file on web browser. 6. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py. 7. Access to https://xx.xx.xx.xx/ssl_crypto/ssl_crypto.py again. Actual results: Certificate verification error occurs. Expected results: Certificate verification error does not occurs. Additional info:
Fedora EPEL 5 changed to end-of-life (EOL) status on 2017-03-31. Fedora EPEL 5 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora or Fedora EPEL, please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.