On Tue, Feb 21, 2006, Winston Ford wrote: > Hello, > > I'll spare my sob story, suffice to say there's week old blood on the > wall.. > > Here's what I'm trying to resolve: > > [pbAl:~] winstonf% openssl s_client -connect www.elegantbabygifts.com: > 443 -state > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/ > CN=www.elegantbabygifts.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/ > CN=www.elegantbabygifts.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/ > CN=www.elegantbabygifts.com > verify error:num=21:unable to verify the first certificate > > Specifically the depth=0 and resulting 3 errors, and ultimately the > fact that majority of cattle using IE cannot checkout from my > customers sites since I upgraded to OpenSSL 0.9.7i 14 Oct 2005. >
Looks like the server is misconfigured: you aren't sending the correct intermediate CA certificate. You are sending the "Verisign Trust Network" intermediate CA and you should instead be sending the "Starfield Secure Certification Authority" CA. Did someone by any chance get the certificate from a different CA recently? That seems likely since the date is 20th Feb. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
