Now have added only the Common Policy CA at the top of the certs file. The development site works for both the long chain and short chain users.
I put the cert file out on the production site and the short chain users can access the site but the long chain user can't and I saw "FAILED:unhandled critical extension" in the log for that user... What is that? What Do I need to do to prevent that??? The only difference between the development site other than OS (XP vs. 2003) is the version of OpenSSL. On the dev site, I have 1.0.1. On production, I have 0.9.8r. When I upgraded OpenSSL on production to 1.0.1 (hoping to eliminate the error above), I think I killed the site for all Win 7 boxes. I say that because I had been able to access the production site with a test Win 7 laptop. I had to put OpenSSL back to 0.9.8r. Frustrating... Curtis -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 03, 2012 19:01 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: > Well... > If by "trusted store" you mean my one cert file pointed to by > SSLCACertificateFile, then yes I added the Common Policy, SHA-1 Federal Root > CA and DoD Interoperability Root CA certs to the cert file on my development > site and increased the depth. I got a user with a long cert chain to try to > access the dev site and they could! But those with a short chain like myself > could not access the dev site any more. > Try just including the Common Policy CA none of the others. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
