Well... If by "trusted store" you mean my one cert file pointed to by SSLCACertificateFile, then yes I added the Common Policy, SHA-1 Federal Root CA and DoD Interoperability Root CA certs to the cert file on my development site and increased the depth. I got a user with a long cert chain to try to access the dev site and they could! But those with a short chain like myself could not access the dev site any more.
Any thoughts? Curtis N. Tammany -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 03, 2012 12:57 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: > > It sounds like some clients have the correct intermediate certificate(s) > > installed and some do not. > > > > They should select the certificate, click the "view" button and see if the > > certificate path is complete (i.e. it says it is OK). > > On systems (XP and some Win7) where the user can access the site the cert chain is short: > DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 > > On the Windows 7 systems where the user CANNOT access the site, the cert chain is long: > Common Policy -> SHA-1 Federal Root CA -> DoD Interoperability Root CA 1 -> DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 > > Users on those systems cannot access the site. If, however, I remove the first three certs from their intermediate certification authorities list in IE, the user can access the site. > > Is there something I can so on my servers so that it will tolerate the long cert chain? > SSLVerifyDepth is currently set to 5. Increase to 6 or more? > Do I need to add Common Policy, SHA-1 Federal Root CA and DoD Interoperability Root CA certs to my cert file on the server? > The way OpenSSL verify works is to try and build as much of the pathc as possible from the peer and then try local storage, so you need "Common Policy" in your trusted store and increase the depth too. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
