Sergio Salvi wrote:
>
> Hi!
>
> With apache 1.3.11, mod_ssl 2.5.0 and openssl-0.9.4 my Verisign SGC
> works fine in Netscape 4.x, but in M$ Internet Exploder:
>
> OpenSSL: error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong
> message type
>
> In httpd.conf I tried:
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>
> And even:
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>
> As it seems to be a client problem, I tried also with:
>
> SSLVerifyClient none
>
> But didn't solved.
>
> I also converted the chainfile from verisign to DER format.
>
> Anyone made a Versigin SGC work with mod_ssl+openssl ?
>
According to Netscape they use "step up" and Microsoft uses SGC. "step
up" just uses the SSL protocol in a novel (and legal) way.
SGC violates the SSL protcol to achieve the same end.
SGC is only supported in the current OpenSSL development version. I
suggest you try that.
If you have problems with the latest version I can send you a patch that
works with 0.9.4.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
