Ryan, Nope. This is a simple server cert only connection. There is no client cert involved.
There must be something about the way the MicroSoft CA is doing the signing. The only thing much different is that there is some CRL info related stuff in the Microsoft signature that isn't in the OpenSSL one. I really have no idea how to figure out why the connection is being rejected so the only debug option I can see is to randomly change things about the OpenSSL signed cert to match the MS signed one. - Rod Ryan Hurst wrote: > Rod -- > > Are you just attempting to do a mutual SSL session? If so what > problem are you having?? > > Ryan > > -----Original Message----- > From: Rod Gilchrist [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 08, 2001 12:22 PM > To: [EMAIL PROTECTED] > Subject: WinXP/IE6.0/Self-Signed; SSL doesn't connect > > Hi, > > We seem to be unable to generate self-signed certificates with > OpenSSL that will work with WinXP and the version of IE > that comes with it. > > Can't find anything on the topic in the list archives, the MS site > or on google. > > Anybody have any similar problems, or thoughts? > > Thanks. > > - Rod > > Details: > > The first server certificate and key below were generated > using openssl 0.9.6b and installed in an Apache 1.3.12 server > linked with openssl 0.9.6b running on FreeBSD 4.3. > > Connecting from a Netscape 6.2 browser running on > WinXP works fine. Connecting from IE 6.0 on the > same WinXP box fails. > > IE and Netscape running on other versions of > Windows and Netscape on other FreeBSD > client machines also work fine. > > In particular, when connecting from IE 6.0, the > WinXP system does a reset on the connection > after receiving the certificate. (No log entries we > can find. Reducing security setting on WinXP to > minimum doesn't change the behaviour.) > > The second certificate and key below was built by > generating a cert request via openssl 0.9.6b and then > signing this using a Microsoft test CA (that uses a > self-signed CA cert). > > With this second certificate installed on the above server, > both IE 6.0 and Netscape 6.2 can connect fine. > > WinXP was from a current MSDN gold release with > the 20 Mb on-line patch applied. > > -----BEGIN CERTIFICATE----- > MIIDZDCCAw6gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBoTELMAkGA1UEBhMCQ0Ex > EDAOBgNVBAgTB09udGFyaW8xFDASBgNVBAcTC01pc3Npc3NhdWdhMRMwEQYDVQQK > EwpCb3JkZXJ3YXJlMRIwEAYDVQQLEwlEZXZlbG9wZXIxGzAZBgNVBAMTEnNhbGVz > LmFjb21wYW55LmNvbTEkMCIGCSqGSIb3DQEJARYVcm9iZXJ0QGJvcmRlcndhcmUu > Y29tMB4XDTAxMTEwODAyMDEzM1oXDTAyMTEwODAyMDEzM1owgaExCzAJBgNVBAYT > AkNBMRAwDgYDVQQIEwdPbnRhcmlvMRQwEgYDVQQHEwtNaXNzaXNzYXVnYTETMBEG > A1UEChMKQm9yZGVyd2FyZTESMBAGA1UECxMJRGV2ZWxvcGVyMRswGQYDVQQDExJz > YWxlcy5hY29tcGFueS5jb20xJDAiBgkqhkiG9w0BCQEWFXJvYmVydEBib3JkZXJ3 > YXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD1i9RBPUz/8W1hnaStfsmS > /km+taEWywUWtWN7XJSH4u2l3G1VW63XkUXB4hMT7sTqlq/YzC+mLKYxnhMNsW7T > AgMBAAGjggEtMIIBKTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM > IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyDESJ3vgMfaxUa15m95g > r3W8SNIwgc4GA1UdIwSBxjCBw4AU0MmLJGAEuKqZ5gsTdlTruH/5q6mhgaekgaQw > gaExCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRQwEgYDVQQHEwtNaXNz > aXNzYXVnYTETMBEGA1UEChMKQm9yZGVyd2FyZTESMBAGA1UECxMJRGV2ZWxvcGVy > MRswGQYDVQQDExJzYWxlcy5hY29tcGFueS5jb20xJDAiBgkqhkiG9w0BCQEWFXJv > YmVydEBib3JkZXJ3YXJlLmNvbYIBADANBgkqhkiG9w0BAQQFAANBAF6cOV+hQVwb > C9uSukvP9nNoJWLyyOkC8y5yklV9yw+t8WEQdKmrtoitwmsMGpCNB8vZnv2WsqM2 > FkrjVGB36I4= > -----END CERTIFICATE----- > > -----BEGIN RSA PRIVATE KEY----- > MIIBOgIBAAJBAPWL1EE9TP/xbWGdpK1+yZL+Sb61oRbLBRa1Y3tclIfi7aXcbVVb > rdeRRcHiExPuxOqWr9jML6YspjGeEw2xbtMCAwEAAQJAIRwCue1PJa/jROdh3jcb > bSO2w+1v1Ef53q8ExAyexpeyQFA3jiV2MsSTCpn0H4se3R1RN2Wbv7XdWW/iOzpq > YQIhAPuYYqMoxkgpUfIvq/0akWEe210DMGwQMu14T6NAsSNxAiEA+dhVNKAGZUwi > teMfRCLtrFPhnHQEQFi3je2AgUQTDIMCIETq2RoYcTgTGX9dz57lSC1yZmR0Gy9+ > wHSMIER31A4BAiEA6lNFhrfXh8Yif+jmeCcyNn/th6kgG6GZdhmcfqB0JTUCIFao > uHb+mmWFj9WwkE/+ETvlvVW9IYRn2XmVixv//Y2W > -----END RSA PRIVATE KEY----- > > -----BEGIN CERTIFICATE----- > MIIFKTCCBNOgAwIBAgIKY7xoHgAAAAAAEjANBgkqhkiG9w0BAQUFADCBmTEjMCEG > CSqGSIb3DQEJARYUZm1pbmdAYm9yZGVyd2FyZS5jb20xCzAJBgNVBAYTAkNBMRAw > DgYDVQQIEwdPbnRhcmlvMRQwEgYDVQQHEwtNaXNzaXNzYXVnYTEYMBYGA1UEChMP > Qm9yZGVyd2FyZSBUZWNoMRIwEAYDVQQLEwlEZXZlbG9wZXIxDzANBgNVBAMTBlRF > U1RDQTAeFw0wMTExMDcyMTQ3MTlaFw0wMjExMDcyMTU3MTlaMIGNMSQwIgYJKoZI > hvcNAQkBFhVyb2JlcnRAYm9yZGVyd2FyZS5jb20xCzAJBgNVBAYTAkNBMRAwDgYD > VQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMRcwFQYDVQQKEw5BIENvbXBh > bnkgSW5jLjEbMBkGA1UEAxMSc2FsZXMuYWNvbXBhbnkuY29tMIIBIjANBgkqhkiG > 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1926pqz0nnfAlCOX+ZuJNFeyjFXtE/Iq1qjg > I6Ti/CF/vxIj2reCtIp8SyKRAcfuSSW0tHxNHok2h2ROXa7p81nOVizzmkQmrJIk > S0oceskEU7whCY3m7d1XjI8poX51q5OKvON9cusbqaAH4XKLcf8YEUv6YPeob0Bi > OQSHk5SeIzOA5SnpDxsH7Q9JGyViBSWxelBuCl3ttfpoqkR+cZjxxyYVMjSpx2yN > 9BiflJAHVWRaoskoLq/bMTVsd4Spe24vqCG1LyC1tJStJ97s3wbcRXksyGBS85tf > Ez3nHHk1rEi0yvrFxqt/Ij1O91UyBxT1LZx7oX5amy3lnTdAXQIDAQABo4ICPTCC > AjkwHQYDVR0OBBYEFFUrg8iA3FM4r6akiHuOt2dr17yrMIHVBgNVHSMEgc0wgcqA > FI3nq+X3QZRe5KSHt6sYIIUXaAkfoYGfpIGcMIGZMSMwIQYJKoZIhvcNAQkBFhRm > bWluZ0Bib3JkZXJ3YXJlLmNvbTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFy > aW8xFDASBgNVBAcTC01pc3Npc3NhdWdhMRgwFgYDVQQKEw9Cb3JkZXJ3YXJlIFRl > Y2gxEjAQBgNVBAsTCURldmVsb3BlcjEPMA0GA1UEAxMGVEVTVENBghBQmOr7QuRE > vEFtIKH3fw0wMH8GA1UdHwR4MHYwOKA2oDSGMmh0dHA6Ly9hdXRob3IuYm9yZGVy > d2FyZS5jb20vQ2VydEVucm9sbC9URVNUQ0EuY3JsMDqgOKA2hjRmaWxlOi8vXFxh > dXRob3IuYm9yZGVyd2FyZS5jb21cQ2VydEVucm9sbFxURVNUQ0EuY3JsMIG+Bggr > BgEFBQcBAQSBsTCBrjBUBggrBgEFBQcwAoZIaHR0cDovL2F1dGhvci5ib3JkZXJ3 > YXJlLmNvbS9DZXJ0RW5yb2xsL2F1dGhvci5ib3JkZXJ3YXJlLmNvbV9URVNUQ0Eu > Y3J0MFYGCCsGAQUFBzAChkpmaWxlOi8vXFxhdXRob3IuYm9yZGVyd2FyZS5jb21c > Q2VydEVucm9sbFxhdXRob3IuYm9yZGVyd2FyZS5jb21fVEVTVENBLmNydDANBgkq > hkiG9w0BAQUFAANBALpIfr3cfc085HN8jvG2/6PvZobOPMQiXPOSewLZuD7GbR+i > L6GkOeA2uMuVpUGWDIqpUHLHEazgAxYmI4mP1qs= > -----END CERTIFICATE----- > > -----BEGIN RSA PRIVATE KEY----- > MIIEpAIBAAKCAQEA1926pqz0nnfAlCOX+ZuJNFeyjFXtE/Iq1qjgI6Ti/CF/vxIj > 2reCtIp8SyKRAcfuSSW0tHxNHok2h2ROXa7p81nOVizzmkQmrJIkS0oceskEU7wh > CY3m7d1XjI8poX51q5OKvON9cusbqaAH4XKLcf8YEUv6YPeob0BiOQSHk5SeIzOA > 5SnpDxsH7Q9JGyViBSWxelBuCl3ttfpoqkR+cZjxxyYVMjSpx2yN9BiflJAHVWRa > oskoLq/bMTVsd4Spe24vqCG1LyC1tJStJ97s3wbcRXksyGBS85tfEz3nHHk1rEi0 > yvrFxqt/Ij1O91UyBxT1LZx7oX5amy3lnTdAXQIDAQABAoIBAHitrpFLk52b2P94 > Ppf+id/HPzwRNW63LZe/5T5ICdVmbOJGo+C8Qsfnu8DNXD+go+gkujdEXmC52NAs > FVtuU8AF7sJicvVFMFG9iajFj9Jc2pxtShLrT7Sezzj3OBDef64h16ftjc5W/aoA > mydAQBDEyZGx5hGbooA/gCncDGdF4XAuz66E5Twz41NMpQiSIM+6l9LPqsY3YDJU > KuOMFobpmksjdBMvE8myG4FTdattxfFpBjZlC/vIOpGCBZtJ6YlLKeoWKFNF3TC2 > iSUVzaqSz4KHTVSjYwBfNXLjVBhC7l+QmadvkIypttmZ5xzKcv9DuSiuSeLcBiNh > EdkQTckCgYEA9GGvCpcUIhxtIF1MnAnx5laFUy6+GzMPMyGIDkOiX7fzxhA9j8o/ > xmb2kdbwiJboWQBCtzld0Ho90UPoW82BvwtIjVycAbKc87PQB7m3dCit8Fm1GZCJ > Luv2AVZJiYUVAwm4qRtWXHBhL7sF+wTG3PDHu/a+AwWeUZyOhMDjsHsCgYEA4iD9 > abRjiIenfla7AG5RyMfh9D8U9fBgeUA4LrfqnplyaB8P/aOFqGmoKLmC4CYA4o+q > ATaOnJuOJzSb7gMTG0VPYar7ZFo4Q5XH46livxJTF/WcwGtU5nzSOct7kAdHTtUL > xJVR0mkDrBLDOObgVipHvhTmlh150XbA4XtJNwcCgYEAoCr5t14nYufwmdqsYESg > V4/zV/51uIvxdViPvJGVdViyG+j/ACPVQqqvBgyyn0MQy2xBTab6lq3XoDT6sFhz > pgu2JHhDA1XWSl9ahAWzeB1FSxbwe+3gC3G5TU0Ja2leyRvw/FyfcHxzJf5UwB10 > XNAuiEICbSacie6q9dUaJcsCgYBPFiyrMJzzHka1SA4lK3BNIaNkMj/ZeFW1coFz > zX0wNQivY9XK5ssTSMi4XZFpZcE/e/GAdR1RppIEIkE68DZZflcyGIPN6EPvV05O > 0Gop23XWVl+ZaLCL4DICZqlziSgmaRqxiWvRhEr1fqZqm0zwtd7bmyG+dNarLLZu > 5hiINwKBgQDArNDI5kpqnZ+zdwaj2tOheq+boy4+zAN6UXZRHwTRadMyzqzJE1tL > 43pUexEEQs0yG1Vq//tbX8LZCf59LMqugCYE7SI+yKkvYto3m9p/2UfwngxT+sLN > gBADB319tQlXZ9gDaGZ5yMrw8oFqurFHl3eVVV6k6S7s0Gj2F+GkDQ== > -----END RSA PRIVATE KEY----- > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
