Wow, the issue has been resolved. Many thanks for keen eyes. After
commenting out the SSLCertificateChainFile directive in my
httpd.conf, one was still returned in the handshake. I include a dir
of vhost.conf's and had backed up the one which had ssl issues.
Apache was still pulling the back'd up .conf for this vhost and
getting duplicate and conflicting info.
This completes my longest solo mission in the cockpit since I entered
the net. Thanks Doc for a safe landing!
-W
On Feb 21, 2006, at 12:51 PM, Dr. Stephen Henson wrote:
On Tue, Feb 21, 2006, Winston Ford wrote:
Yes, the current cert was bought this weekend from starfield
(godaddy). Reason being, another client site has a cert from
starfield, and IE successfully completes handshake. Site is https://
www.shopelizabethbrady.com It is running on same machine, same
apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL
0.9.7i.
The bit about the intermediate CA certificate showing Verisign is
noteworthy. The previous cert was from Verisign, so this makes
sense. Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
sf_issuing.crt is the same sf_issuing.crt used for
shopelizabethbrady.com, which does not show Verisign in handshake
transcript. Where might this verisignian vestige be residing?
Well that file is the usual place. Try:
openssl x509 -in whatever.crt -noout -subject
and see if it says "Verisign". You could also try commenting that
line out and
seeing if it doesn't send it any more.
If the other site has the correct intermediate CA in the trusted
certificate
store it would use that.
If you don't have a copy of the correct intermediate CA you can get
it from
that other site easily enough with the -showcerts option to s_client.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]