On Fri, May 21, 1999 at 11:27:55PM -0700, Brian D. Kohl wrote:
> First of All: I created a temp certificate with my private key and the
> HTTPS site works (unknown CA, but works).
> Scenario: I got my server.crt back from Verisign. No worky.
> Error: My ssl_engine log gives me:
> " OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad
> protocol version number "
That error message should really read
"...:x509 certificate routines:X509_check_private_key:key values mismatch"
-- the translation of error codes was done incorrectly (it's fixed in
the current OpenSSL beta). You should see that error message only if
either the modulus or the public exponent are not the same in the key
and certificate.
[...]
> I tested my server.key verse my server.crt with the method to compare the
> entire public modulus and exponent of both. They match exactly. I did: "
> openssl rsa -noout -text -in server.key " and " openssl x509 -noout -text
> -in server.crt " to test them.
>
> Next I tested my server.csr to my server.key to make sure I submitted the
> right request to Verisign, based on the private key I am using. They match
> exactly. I did: " openssl req -noout -modulus -in server.csr | openssl
> md5 " and " openssl rsa -noout -modulus -in server.key | openssl md5 " to
> test them.
>
> Next, I tested my server.crt to my server.key using the shorter method.
> They were NOT even close. Totally different. I did: " openssl x509
> -noout -modulus -in server.crt | openssl md5 " and " openssl rsa -noout
> -modulus -in server.key | openssl md5 " to test them.
>
> I am very confused, [...]
So am I. Could you send your two certificates -- the self-signed one
and the one issued by Verisign -- to this list? (Obviously I can't
expect you to mail your private key to others :-)
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
