I did order the certificate for Stronghold, since I guessed this was the
closest thing to Apache + mod_ssl. The output from "openssl x509 ..." only
mentions the extra Netscape flag, doesn't say anything about a Microsoft
flag.
X509v3 Extended Key Usage:
Netscape Server Gated Crypto
Am I looking in the wrong place? Should I be looking for something else?
Is there any way around this problem? I don't fancy telling my boss we just
paid $1600 for a certificate which will only be of use to ~30% (at most) of
our clients :).
Thanks for your help,
Gareth.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Matthias Loepfe
Sent: 02 December 1999 08:40
To: [EMAIL PROTECTED]
Subject: Re: GlobalID problem
Hi,
We had probably the same problem. Please check if your GlobalID Cert has
both of the SGC ext. key usage flags set (NS and MS) or only NS.
IE chooses a different stepup procedure if the GlobalID Cert contains the
MS SGC flag, which is not supportet by OpenSSL. This flavour of step up
is a change in the SSL protocol.
If you order a GlobalID from Verisign it is important to order it
for stronghold and not for IIS.
Sorry. I planed to send such a mail last week, but found no time to
do it.
Ralf: I think it would be best, to change your code which checks the SGC
flags in a way, that when the MS-SGC flags is set a BIG WARNIG is printed.
Also I think it would probably be a good idea to think about supporting
the MS-StepUp in OpenSSL.
Regards
Matthias
Gareth Jones wrote:
>
> Hi,
>
> Just wondering if anyone has encountered the following problem with the
> Verisign SGC GlobalID certificates. I'm running mod_ssl 2.4.8_1.3.9, and
> have got both the global certificate and the intermediate certificate
> installed and configured. I can connect with an export version of
> Netscape and get 128-bit encryption no problem. If I try the same thing
> with IE5.0 I get a "cannot find server or DNS error", which is very
> helpful. If I try it with IE4.0 I get the slightly more useful error of
> "Invalid Certificate", which I guess means the intermediate certificate.
>
> I've tried putting the intermediate cert in using both
> SSLCertificateChainFile directive and the SSLCACertificatePath and
> SSLCACertificateFile directives (all work with Netscape, still no dice
> with IE). I've also tried pointing IE at some external websites that use
> SGC (like https://enigma.barclaycard.co.uk) and they work fine. The only
> unusual thing is that I'm trying this out on an internal, private
> webserver (before putting it on our production server), which doesn't
> have the same Common Name as the certificate. Would that cause IE to
> complain?
>
> Any ideas? (Except for "don't use IE" please :))
>
> Thanks,
> Gareth.
>
> --
> Mutant Technology Ltd.
> tel:+44 (0)171 257 9983
> fax:+44 (0)171 836 2600
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
----------------------------------------------------------------------------
---
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272
6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
