I have problems with a Verisign Global-ID certificate installed on a very
old system. The Intermediate CA was installed according to the documentation on
Verisign's website.
The server's certificate is recognized only by Internet Explorer (tested
versions 5.5 and 6). 
Other browsers do not recognize the certificate - they complain that the
site's certificate is incomplete (tested Mozilla, Mozilla Firebird, Opera).
Errors in the ssl_engine_log:

[error] SSL handshake failed (server xxx:443, client a.b.c.d) (OpenSSL
library error follows)
[error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca


I think the problem is related to the intermediate certificate but I can't
identify it.

Entries in ssl_engine_log while starting Apache:

[info]  Server: Apache/1.3.9, Interface: mod_ssl/2.4.10, Library:
OpenSSL/0.9.4
[info]  Init: 1st startup round (still not detached)
[info]  Init: Initializing OpenSSL library
[info]  Init: Loading certificate & private key of SSL-aware server xxx:443
[trace] Init: (xxx:443) unencrypted RSA private key - pass phrase not
required
[info]  Init: Generating temporary RSA private keys (512/1024 bits)
[info]  Init: Configuring temporary DH parameters (512/1024 bits)
[info]  Init: 2nd startup round (already detached)
[info]  Init: Reinitializing OpenSSL library
[trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[info]  Init: Seeding PRNG with 8 bytes of entropy
[info]  Init: Configuring temporary RSA private keys (512/1024 bits)
[info]  Init: Configuring temporary DH parameters (512/1024 bits)
[info]  Init: Initializing (virtual) servers for SSL
[info]  Init: Configuring server xxx:443 for SSL protocol
[trace] Init: (xxx:443) Creating new SSL context (protocols: SSLv2, SSLv3,
TLSv1)
[trace] Init: (xxx:443) Configuring RSA server certificate
[info]  Init: (xxx:443) RSA server certificate enables Server Gated
Cryptography (SGC)
[trace] Init: (xxx:443) Configuring RSA server private key
[trace] Init: (xxx:443) Configuring server certificate chain (0 CA
certificates)
                                                                          
^^^^^^^^^^^^^^^^^^^^

What does "0 CA certificate" mean?


In httpd.conf I have:

SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/intermediate.crt


Can someone help me?

TIA.

-- 
munca l-a facut pe om ... lenes.

NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService

Jetzt kostenlos anmelden unter http://www.gmx.net

+++ GMX - die erste Adresse für Mail, Message, More! +++

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to