Geez, this is getting weirder. It looks like the GSID problems
I'm having are at least partly caused by Verisign and/or Microsoft,
not anything to do with openssl or modssl.
If I fire up MSIE 4.0 and visit www.citibank.com (one of the biggest
banks in the US), then click the "Apply for 3.9% Platinum card" in the
bottom frame, it goes to an SSL credit card application page signed
with a Verisign GSID dated 1/16/99. MSIE rejects this as being signed
by an invalid issuer and runs with 40 bit cryptography. It does work
properly with recent versions of Netscape, which have the newer Verisign
root installed. I'm trying to find an old version of Netscape (4.05 or
earlier, apparently; 4.04 might be needed) to try it with. Argggh!!!
It looks like *NO* Verisign GSID's issued in 1999 work properly with
older browsers (at least with IE), regardless of the server type.
At best, Verisign might have to issue some new chaining certs to
connect their new class 3 primary root to their old one, or to connect
their international CA with their old primary root. Sigh...
Paul
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
