As far as I understand this should work just fine, i.e. having only the Netscape
SGC extension.
Also, could someone give some details about what needs to be done on the server
side in order to support
MS SGC. (I doubt there are any changes/additions because most of the work is
done on the client side.)
The way around your problems are to strictly use the same CN/URL on the client
side as the CN in the server certificate.
Patrik
Gareth Jones wrote:
> I did order the certificate for Stronghold, since I guessed this was the
> closest thing to Apache + mod_ssl. The output from "openssl x509 ..." only
> mentions the extra Netscape flag, doesn't say anything about a Microsoft
> flag.
> X509v3 Extended Key Usage:
> Netscape Server Gated Crypto
> Am I looking in the wrong place? Should I be looking for something else?
>
> Is there any way around this problem? I don't fancy telling my boss we just
> paid $1600 for a certificate which will only be of use to ~30% (at most) of
> our clients :).
>
> Thanks for your help,
>
> Gareth.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Matthias Loepfe
> Sent: 02 December 1999 08:40
> To: [EMAIL PROTECTED]
> Subject: Re: GlobalID problem
>
> Hi,
>
> We had probably the same problem. Please check if your GlobalID Cert has
> both of the SGC ext. key usage flags set (NS and MS) or only NS.
>
> IE chooses a different stepup procedure if the GlobalID Cert contains the
> MS SGC flag, which is not supportet by OpenSSL. This flavour of step up
> is a change in the SSL protocol.
>
> If you order a GlobalID from Verisign it is important to order it
> for stronghold and not for IIS.
>
> Sorry. I planed to send such a mail last week, but found no time to
> do it.
>
> Ralf: I think it would be best, to change your code which checks the SGC
> flags in a way, that when the MS-SGC flags is set a BIG WARNIG is printed.
>
> Also I think it would probably be a good idea to think about supporting
> the MS-StepUp in OpenSSL.
>
> Regards
>
> Matthias
>
> Gareth Jones wrote:
> >
> > Hi,
> >
> > Just wondering if anyone has encountered the following problem with the
> > Verisign SGC GlobalID certificates. I'm running mod_ssl 2.4.8_1.3.9, and
> > have got both the global certificate and the intermediate certificate
> > installed and configured. I can connect with an export version of
> > Netscape and get 128-bit encryption no problem. If I try the same thing
> > with IE5.0 I get a "cannot find server or DNS error", which is very
> > helpful. If I try it with IE4.0 I get the slightly more useful error of
> > "Invalid Certificate", which I guess means the intermediate certificate.
> >
> > I've tried putting the intermediate cert in using both
> > SSLCertificateChainFile directive and the SSLCACertificatePath and
> > SSLCACertificateFile directives (all work with Netscape, still no dice
> > with IE). I've also tried pointing IE at some external websites that use
> > SGC (like https://enigma.barclaycard.co.uk) and they work fine. The only
> > unusual thing is that I'm trying this out on an internal, private
> > webserver (before putting it on our production server), which doesn't
> > have the same Common Name as the certificate. Would that cause IE to
> > complain?
> >
> > Any ideas? (Except for "don't use IE" please :))
> >
> > Thanks,
> > Gareth.
> >
> > --
> > Mutant Technology Ltd.
> > tel:+44 (0)171 257 9983
> > fax:+44 (0)171 836 2600
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> --
>
> ----------------------------------------------------------------------------
> ---
> Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
> Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272
> 6312
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
