Yes, the current cert was bought this weekend from starfield
(godaddy). Reason being, another client site has a cert from
starfield, and IE successfully completes handshake. Site is https://
www.shopelizabethbrady.com It is running on same machine, same
apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL 0.9.7i.
The bit about the intermediate CA certificate showing Verisign is
noteworthy. The previous cert was from Verisign, so this makes
sense. Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/
sf_issuing.crt is the same sf_issuing.crt used for
shopelizabethbrady.com, which does not show Verisign in handshake
transcript. Where might this verisignian vestige be residing?
Thank you immensely for the time,
Winston
On Feb 21, 2006, at 11:47 AM, Dr. Stephen Henson wrote:
On Tue, Feb 21, 2006, Winston Ford wrote:
Hello,
I'll spare my sob story, suffice to say there's week old blood on the
wall..
Here's what I'm trying to resolve:
[pbAl:~] winstonf% openssl s_client -connect
www.elegantbabygifts.com:
443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=www.elegantbabygifts.com/OU=Domain Control Validated/
CN=www.elegantbabygifts.com
verify error:num=21:unable to verify the first certificate
Specifically the depth=0 and resulting 3 errors, and ultimately the
fact that majority of cattle using IE cannot checkout from my
customers sites since I upgraded to OpenSSL 0.9.7i 14 Oct 2005.
Looks like the server is misconfigured: you aren't sending the correct
intermediate CA certificate.
You are sending the "Verisign Trust Network" intermediate CA and
you should
instead be sending the "Starfield Secure Certification Authority" CA.
Did someone by any chance get the certificate from a different CA
recently?
That seems likely since the date is 20th Feb.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
