[This is mostly the same message as one I just sent to the modssl
mailing list, so sorry if you've seen it twice.]
Hi, I'm trying to install a GlobalID into the c2 Stronghold server,
which uses ssleay (forerunner of openssl).
I'm having a lot of trouble and found some messages about GlobalID's
in the sw-mod-ssl and openssl-users archives so I thought I'd ask for
advice here. The problem is that the GSID is delivered as two
separate certificates that need to be chained. There is the GSID
itself and an intermediate cert that signs it. Simply dropping the
intermediate cert into the directory pointed to by
SSLCACertificatesPath doesn't seem to help. The browser acts like
it's just received a the GSID itself which it treats as a valid cert
signed by an unknown issuer, so I don't get the 128 bit step-up.
Connecting with ssleay's s_client shows a 1-deep cert chain: the GSID
and the intermediate cert. Only one certificate seems to be
displayed. Connecting to another machine presenting a GSID from
Netscape Proxy Server gives a 2-deep chain: the GSID, the intermediate
cert, and the Verisign Class 3 Public Primary CA. Again, it only
shows one PEM cert, but it's about twice as long as the one that I get
from Stronghold.
Anyway I'm wondering, has anyone here gotten a real Verisign GlobalID
(not a non-chained selfsigned one with a patched cert7.db file)
to work with openssl? What did you do to install the intermediate cert?
Is there some tool that combines the certs in a chain into one PEM file?
Has the GSID been observed to work (i.e. to give 128 bit crypto and
not cause disconnects) in both Netscape and MSIE browsers?
Finally is there a way to get s_client to dump more info about the
certificates it sees, such as their fingerprints, expiration dates,
etc.? I notice there are two different Verisign class 3 primary CA
certs going around; one of them expires 12/31/99 and the other expires
in 2004. I doubt if this is causing the problem (both my browser and
Stronghold come configured with the 1999 one) but it's conceivable
that my new GSID is signed with the 2004 one.
Thanks very much for any advice.
Paul
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
