Re: how to resolve depth=0

Tue, 21 Feb 2006 10:29:50 -0800

Wow, the issue has been resolved. Many thanks for keen eyes. After commenting out the SSLCertificateChainFile directive in my httpd.conf, one was still returned in the handshake. I include a dir of vhost.conf's and had backed up the one which had ssl issues. Apache was still pulling the back'd up .conf for this vhost and getting duplicate and conflicting info.
This completes my longest solo mission in the cockpit since I entered the net. Thanks Doc for a safe landing! 

-W


On Feb 21, 2006, at 12:51 PM, Dr. Stephen Henson wrote:


On Tue, Feb 21, 2006, Winston Ford wrote:



Yes, the current cert was bought this weekend from starfield
(godaddy).  Reason being, another client site has a cert from
starfield, and IE successfully completes handshake.  Site is https://
www.shopelizabethbrady.com  It is running on same machine, same

apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL  
0.9.7i.


The bit about the intermediate CA certificate showing Verisign is
noteworthy.  The previous cert was from Verisign, so this makes
sense.  Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
sf_issuing.crt is the same sf_issuing.crt used for
shopelizabethbrady.com, which does not show Verisign in handshake
transcript.  Where might this verisignian vestige be residing?




Well that file is the usual place. Try:

openssl x509 -in whatever.crt -noout -subject


and see if it says "Verisign". You could also try commenting that  
line out and

seeing if it doesn't send it any more.


If the other site has the correct intermediate CA in the trusted  
certificate

store it would use that.


If you don't have a copy of the correct intermediate CA you can get  
it from

that other site easily enough with the -showcerts option to s_client.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]














    











					Reply via email to