Hi,
We had probably the same problem. Please check if your GlobalID Cert has
both of the SGC ext. key usage flags set (NS and MS) or only NS.
IE chooses a different stepup procedure if the GlobalID Cert contains the
MS SGC flag, which is not supportet by OpenSSL. This flavour of step up
is a change in the SSL protocol.
If you order a GlobalID from Verisign it is important to order it
for stronghold and not for IIS.
Sorry. I planed to send such a mail last week, but found no time to
do it.
Ralf: I think it would be best, to change your code which checks the SGC
flags in a way, that when the MS-SGC flags is set a BIG WARNIG is printed.
Also I think it would probably be a good idea to think about supporting
the MS-StepUp in OpenSSL.
Regards
Matthias
Gareth Jones wrote:
>
> Hi,
>
> Just wondering if anyone has encountered the following problem with the
> Verisign SGC GlobalID certificates. I'm running mod_ssl 2.4.8_1.3.9, and
> have got both the global certificate and the intermediate certificate
> installed and configured. I can connect with an export version of
> Netscape and get 128-bit encryption no problem. If I try the same thing
> with IE5.0 I get a "cannot find server or DNS error", which is very
> helpful. If I try it with IE4.0 I get the slightly more useful error of
> "Invalid Certificate", which I guess means the intermediate certificate.
>
> I've tried putting the intermediate cert in using both
> SSLCertificateChainFile directive and the SSLCACertificatePath and
> SSLCACertificateFile directives (all work with Netscape, still no dice
> with IE). I've also tried pointing IE at some external websites that use
> SGC (like https://enigma.barclaycard.co.uk) and they work fine. The only
> unusual thing is that I'm trying this out on an internal, private
> webserver (before putting it on our production server), which doesn't
> have the same Common Name as the certificate. Would that cause IE to
> complain?
>
> Any ideas? (Except for "don't use IE" please :))
>
> Thanks,
> Gareth.
>
> --
> Mutant Technology Ltd.
> tel:+44 (0)171 257 9983
> fax:+44 (0)171 836 2600
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
