On Mon, 13 Sep 2010, Tim Hudson wrote: > Try gnutls without the TLS extensions processing occurring and you will > see that the server is not sending back the certificate chain:
Hmm, so the server isn't volunteering the chain, but if the client is smart enough to ask for it it will provide it :)? > This fails. You need to correct your server configuration so that it > correctly sends out the chain. I'm using bog-standard apache with mod_ssl, currently version 2.2.14. The instructions from Thawte were to use the SSLCACertificateFile directive in the config pointing to a file they provided containing two certs (the "thawte Primary Root CA" followed by the "Thawte SSL CA"). My server cert is signed by the "Thawte SSL CA", and my openssl client has the "Thawte Premium Server CA" cert installed on it. This didn't work, as you point out it seems the server is not sending the chain. Per an off list discussion, I've changed my config and am now using the SSLCertificateChainFile directive instead (which seems to be the better way to do it). I also reversed the order of the certs in the file per a forum thread I found indicating they should be in order of verification. That's still not working, no chain from the server. Presumably somebody has one of these new Thawte certs installed under apache working correctly, could one of those somebodies possibly post what apache configuration directives they are using, and what certificates in what order are present in the intermediate ca file they are using? That would be greatly appreciated :). Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
