Apache + mod_python + SSLVerifyClient == broken config / url application

Apache + mod_python + SSLVerifyClient == broken config / url application

am 07.04.2006 17:59:11 von Ben

------=_Part_1598_24914974.1144425551282
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I have unearthed a strange problem. I have a simple httpd.conf that should
map urls like this:

/download -> static content, matching client SSL cert required
* -> mod_python handler, SSL based, but no client cert required

What I get instead is

https://foobar.com/download/stuff.txt -- static content, client cert
required
https://foobar.com/setup/things -- python handler, no client cert required
https://foobar.com/setup/download/stuff -- python handler, client cert
required

The last thing should never happen by the configuration:

---- httpd.conf ----
ServerName 127.0.0.1
ServerRoot "/usr/local"
DocumentRoot "/usr/local/htdocs"
Listen 443
User www
Group www
LoadModule python_module modules/mod_python.so


SetHandler mod_python
PythonHandler dummy::handler
PythonDebug On



SSLVerifyClient require
SSLVerifyDepth 1
SetHandler None


SSLEngine on
SSLCertificateFile certs/dummy.crt
SSLCertificateKeyFile certs/dummy.crt
SSLCACertificateFile certs/dummy-ca.crt
--------

This is running against apache 2.2.0, python 2.4.1 and mod_python 3.2.8 (+
the four patches found here -- needed for proper 2.2.0 operation --
http://svn.apache.org/viewcvs.cgi?rev=3D376544&view=3Drev )

Basically, any url that contains, but does not begin with '/download/',
falsely requires an SSL client cert, and produces an IOError in the python
during the write() call.

I've tried using "Directory" directive as well as LocationMatch
"^/download/". Also I've used both 'SetHandler none' and 'SetHandler
default-handler'. I've also tried this on linux 2.6.9 as well as mac os x
10.4.6. All of these are equally broken.

Simple test python code is here:

---- dummy.py ----
from mod_python import apache

def handler(req):
req.content_type =3D 'text/plain'
try:
req.write(str(req.the_request))
except IOError, e:
apache.log_error('IOError: ' + str(e))
apache.log_error('IOError: ' + req.the_request)
return apache.OK
--------

Below are the errors produced in apache's error log for each url, using a
client that does not have the client cert configured.

https://foobar.com/download/stuff.txt
[www_error] Re-negotiation handshake failed: Not accepted by client!?
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure, errno 0

https://foobar.com/setup/things
[no errors]

https://foobar.com/setup/download/stuff
[www_error] IOError: Write failed, client closed connection.
[www_error] IOError: GET /foo/download HTTP/1.1
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure, errno 0

Has anybody seen any problem like this? I tried setting this up to fail w/
static content, but so far it only fails w/ mod_python + ssl.
The apache lists show a few other problems w/ the SSLVerifyClient directive=
,
so it may not be only mod_python that triggers this...


http://marc.theaimsgroup.com/?l=3Dapache-modssl&w=3D2&r=3D1& s=3DSSLVerifyCl=
ient&q=3Db

Semantically, it seems odd that the python intrepreter would even be
invoked, since the SSLVerifyClient ought to be part of the authentication
step, and should refuse the request before it even arrives. In any case,
I'm completely befuddled.

ben

------=_Part_1598_24914974.1144425551282
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I have unearthed a strange problem.  I have a simple httpd.conf that s=
hould map urls like this:

/download -> static content, matching c=
lient SSL cert required
* -> mod_python handler, SSL based, but no cl=
ient cert required=20


What I get instead is

d/stuff.txt">https://foobar.com/download/stuff.txt -- static content, c=
lient cert required
https://=
foobar.com/setup/things
 -- python handler, no client cert required
r.com/setup/download/stuff">https://foobar.com/setup/downloa d/stuff -- =
python handler, client cert required

The last thing should never hap=
pen by the configuration:=20


---- httpd.conf ----
ServerName 127=
..0.0.1
ServerRoot "/usr/local"
DocumentRoot "/usr/=
local/htdocs"
Listen 443
User www
Group www
LoadModule pyt=
hon_module modules/mod_python.so=20


<Location "/">
     &nb=
sp;  SetHandler mod_python
      &nbs=
p; PythonHandler dummy::handler
      &nbs=
p; PythonDebug On
</Location>

<Location "/download&=
quot;>
        SSLVerifyClient req=
uire=20

        SSLVerifyDepth 1
 &n=
bsp;      SetHandler None
</Location>
=

SSLEngine on
SSLCertificateFile    certs/dummy.crt >SSLCertificateKeyFile certs/dummy.crt
SSLCACertificateFile  certs/=
dummy-ca.crt

--------

This is running against apache 2.2.0, python 2.4.1 and=
mod_python 3.2.8 (+ the four patches found here -- needed for proper 2.2.0=
operation -- ;view=3Drev">
http://svn.apache.org/viewcvs.cgi?rev=3D376544&view=3Dre v )

=
Basically, any url that contains, but does not begin with '/download/', fal=
sely requires an SSL client cert, and produces an IOError in the python dur=
ing the write() call.


I've tried using "Directory" directive as well as Locatio=
nMatch "^/download/".  Also I've used both 'SetHandler none'=
and 'SetHandler default-handler'.  I've also tried this on linux 2.6.=
9 as well as mac os x=20
10.4.6.  All of these are equally broken.

Simple test python co=
de is here:

---- dummy.py ----
from mod_python import apache
<=
br>def handler(req):
    req.content_type =3D 'text/plain=
'
    try:
       =
=20
req.write(str(req.the_request))
    except IOError, e: >        apache.log_error('IOError: ' + =
str(e))
        apache.log_error('IOE=
rror: ' + req.the_request)
    return apache.OK
------=
--

Below are the errors produced in apache's error log for each url,=
using a client that does not have the client cert configured.=20


https://foobar.co=
m/download/stuff.txt
[www_error] Re-negotiation handshake failed: No=
t accepted by client!?
[curl error] SSL read: error:14094410:SSL routine=
s:SSL3_READ_BYTES:sslv3 alert handshake failure, errno 0=20


https://foobar.com/setu=
p/things
[no errors]

load/stuff">https://foobar.com/setup/download/stuff
[www_error] IOEr=
ror: Write failed, client closed connection.

[www_error] IOError: GET /foo/download HTTP/1.1
[curl error] SSL rea=
d: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failur=
e, errno 0

Has anybody seen any problem like this?  I tried se=
tting this up to fail w/ static content, but so far it only fails w/ mod_py=
thon + ssl.

The apache lists show a few other problems w/ the SSLVerifyClient direc=
tive, so it may not be only mod_python that triggers this...

 =
=3D1&s=3DSSLVerifyClient&q=3Db">
http://marc.theaimsgroup.com/?l=3Dapache-modssl&w=3D2&am p;r=3D1&s=
=3DSSLVerifyClient&q=3Db

Semantically, it seems odd that the=
python intrepreter would even be invoked, since the SSLVerifyClient ought =
to be part of the authentication step, and should refuse the request before=
it even arrives.  In any case, I'm completely befuddled.


ben



------=_Part_1598_24914974.1144425551282--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org