Hello, all --
According to both the SSL3 draft and TLS, a server can send a chain of
certificates, beginning with its own and leading towards a root CA.
Posts by Netscape engineers (seen on Dejanews) strongly suggest that
Netscape Communicator can handle chains.
I tried to get chains working on the https server I'm writing (with
OpenSSL 0.9.5), using what seemed like the obvious methods -- either
SSL_CTX_add_extra_chain_cert(), or SSL_CTX_get_cert_store() and
X509_STORE_add_cert(). IE5 correctly handles and displays the
certificate chain, but Netscape (4.72 for Win32 and 4.51 for Linux)
comes back with an error dialog:
The security library has encountered an improperly formatted
DER-encoded message.
Netscape behaves the same way even if I serve the certificates to it
using mod_ssl (2.6.3, for Apache 1.3.12) and its
SSLCertificateChainFile setting.
But Netscape definitely *can* handle chains; for example,
https://enigma.barclaycard.co.uk , which, not surprisingly, is served
with Netscape Enterprise Server. It's simply not reacting well to
OpenSSL-sent certificate chains.
I examined the entrails (using ``s_client -ssl3 -debug'') from
connecting locally and to Barclays, and both server-certificate
messages look correct to me as far as field lengths and so on. I must
admit I'm stumped.
Has anyone had success with sending certificate chains to Netscape
clients?
Hovav.
--
Hovav Shacham [EMAIL PROTECTED]
"Rightly looked at there is no laughable thing under the sun."
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
