[mod_python] Apache + mod_python + SSLVerifyClient == broken url parsing?

ben benomatic42 at gmail.com
Thu Apr 6 09:46:45 EDT 2006 

I have unearthed a strange problem.  I have a simple httpd.conf that should
map urls like this:

/download -> static content, matching client SSL cert required
* -> mod_python handler, SSL based, but no client cert required

What I get instead is

https://foobar.com/download/stuff.txt -- static content, client cert
required
https://foobar.com/setup/things -- python handler, no client cert
https://foobar.com/setup/download/stuff -- python handler, client cert
required

The last thing should never happen by the configuration:

---- httpd.conf ----
ServerName 127.0.0.1
ServerRoot "/usr/local"
DocumentRoot "/usr/local/htdocs"
Listen 443
User www
Group www
LoadModule python_module modules/mod_python.so

<Location "/">
        SetHandler mod_python
        PythonHandler dummy::handler
        PythonDebug On
</Location>

<Location "/download">
        SSLVerifyClient require
        SSLVerifyDepth 1
        SetHandler None
</Location>

SSLEngine on
SSLCertificateFile    certs/dummy.crt
SSLCertificateKeyFile certs/dummy.crt
SSLCACertificateFile  certs/dummy-ca.crt
--------

This is running against apache 2.2.0, python 2.4.1 and mod_python 3.2.8 (+
the four patches found here -- needed for proper 2.2.0 operation --
http://svn.apache.org/viewcvs.cgi?rev=376544&view=rev )

Basically, any url that contains, but does not begin with '/download/',
falsely requires an SSL client cert, and produces an IOError in the python
during the write() call.

Simple test python code is here:

---- dummy.py ----
from mod_python import apache

def handler(req):
    req.content_type = 'text/plain'
    try:
        req.write(str(req.the_request))
    except IOError, e:
        apache.log_error('IOError: ' + str(e))
        apache.log_error('IOError: ' + req.the_request)
    return apache.OK
--------

Below are the errors produced in apache's error log for each url, using a
client that does not have the client cert configured.

https://foobar.com/download/stuff.txt
[www_error] Re-negotiation handshake failed: Not accepted by client!?
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure, errno 0

https://foobar.com/setup/things
[no errors]

https://foobar.com/setup/download/stuff
[www_error] IOError: Write failed, client closed connection.
[www_error] IOError: GET /foo/download HTTP/1.1
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure, errno 0

Has anybody seen any problem like this?  I tried setting this up to fail w/
static content, but so far it only fails w/ mod_python + ssl.
The apache lists show a few other problems w/ the SSLVerifyClient directive,
so it may not be only mod_python that triggers this...


http://marc.theaimsgroup.com/?l=apache-modssl&w=2&r=1&s=SSLVerifyClient&q=b

Any suggestions on how to fix this, or what I ought to do to bring this to
apache/modssl developer attention?  Thanks.

ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20060406/c6df01e0/attachment-0001.html

More information about the Mod_python mailing list