I have unearthed a strange problem. I have a simple httpd.conf that should map urls like this:
/download -> static content, matching client SSL cert required
* -> mod_python handler, SSL based, but no client cert required
What I get instead is
https://foobar.com/download/stuff.txt -- static content, client cert required
https://foobar.com/setup/things
-- python handler, no client cert required
https://foobar.com/setup/download/stuff -- python handler, client cert required
The last thing should never happen by the configuration:
---- httpd.conf ----
ServerName 127.0.0.1
ServerRoot "/usr/local"
DocumentRoot "/usr/local/htdocs"
Listen 443
User www
Group www
LoadModule python_module modules/mod_python.so
<Location "/">
SetHandler mod_python
PythonHandler dummy::handler
PythonDebug On
</Location>
<Location "/download">
SSLVerifyClient require
SSLVerifyDepth 1
SetHandler None
</Location>
SSLEngine on
SSLCertificateFile certs/dummy.crt
SSLCertificateKeyFile certs/dummy.crt
SSLCACertificateFile certs/dummy-ca.crt
--------
This is running against apache 2.2.0, python 2.4.1 and mod_python 3.2.8 (+ the four patches found here -- needed for proper 2.2.0 operation --
http://svn.apache.org/viewcvs.cgi?rev=376544&view=rev )
Basically, any url that contains, but does not begin with '/download/', falsely requires an SSL client cert, and produces an IOError in the python during the write() call.
I've tried using "Directory" directive as well as LocationMatch "^/download/". Also I've used both 'SetHandler none' and 'SetHandler default-handler'. I've also tried this on linux 2.6.9 as well as mac os x
10.4.6. All of these are equally broken.
Simple test python code is here:
---- dummy.py ----
from mod_python import apache
def handler(req):
req.content_type = 'text/plain'
try:
req.write(str(req.the_request))
except IOError, e:
apache.log_error('IOError: ' + str(e))
apache.log_error('IOError: ' + req.the_request)
return apache.OK
--------
Below are the errors produced in apache's error log for each url, using a client that does not have the client cert configured.
https://foobar.com/download/stuff.txt
[www_error] Re-negotiation handshake failed: Not accepted by client!?
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure, errno 0
https://foobar.com/setup/things
[no errors]
https://foobar.com/setup/download/stuff
[www_error] IOError: Write failed, client closed connection.
[www_error] IOError: GET /foo/download HTTP/1.1
[curl error] SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure, errno 0
Has anybody seen any problem like this? I tried setting this up to fail w/ static content, but so far it only fails w/ mod_python + ssl.
The apache lists show a few other problems w/ the SSLVerifyClient directive, so it may not be only mod_python that triggers this...
http://marc.theaimsgroup.com/?l=apache-modssl&w=2&r=1&s=SSLVerifyClient&q=b
Semantically, it seems odd that the python intrepreter would even be invoked, since the SSLVerifyClient ought to be part of the authentication step, and should refuse the request before it even arrives. In any case, I'm completely befuddled.
ben
