On Tue, May 08, 2012, Tammany, Curtis wrote: > > If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints > > extension that is the problem which isn't supported in OpenSSL 0.9.8. > > > One of the intermediate certs does have a name constraint... >
It is most likely critical then which would trigger the rejection by OpenSSL 0.9.8. > > Does the production site have any directories of trusted certificates or are > > they all in a single file. I ask because the link algorithm changed in > > OpenSSL > > 1.0.0 and later and is incompatible with the 0.9.8 version. > > > The production site is structured the same way as the development site with > all of the certs in one file starting with the Common Policy cert. > You say it doesn't work with Windows 7 at all? What errors do you get with that? > > Note that you can't just update the DLLs for a new major version of OpenSSL: > > the applications will need to be recompiled too. > > > > You could try updating to OpenSSL 1.0.0i instead as the 1.0.1 series of > > OpenSSL is very new and there are several reported interop problems. > > I don't have the means to compile my own Apache/OpenSSL combination. I have > been going to apachelounge.com and/or slproweb.com to get my binaries. > > Can I get the Apache 2.2.22/OpenSSL 1.0.1a from ApacheLounge and replace the > dlls with the OpenSSL 1.0.0i available on slproweb.com? > That should be OK as 1.0.1 is binary compatible with 1.0.0. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org