> > > If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
> > > extension that is the problem which isn't supported in OpenSSL 0.9.8.
> > >
> > One of the intermediate certs does have a name constraint...
> >
>
> It is most likely critical then which would trigger the rejection by OpenSSL
> 0.9.8.
>
> > > Does the production site have any directories of trusted certificates or
> > > are
> > > they all in a single file. I ask because the link algorithm changed in
> > > OpenSSL
> > > 1.0.0 and later and is incompatible with the 0.9.8 version.
> > >
> > The production site is structured the same way as the development site with
> > all > of the certs in one file starting with the Common Policy cert.
> >
>
> You say it doesn't work with Windows 7 at all? What errors do you get with
> that?
Yes I'm pretty sure about that. The user get the Page cannot be displayed
message and the log shows "Certificate Verification: Error (20): unable to get
local issuer certificate" and "Re-negotiation handshake failed: Not accepted by
client!?".
It ties into the problem I was having back in February ("Windows 7/IE8 CAC
enabled sites") that I really never truly addressed. The production server had
Apache 2.2.22/ OpenSSL 1.0.0g back then but a Microsoft patch came out that
killed access for Win 7 users. I had to roll OpenSSL back to 0.9.8r before the
Win 7 users could access the site again. What I didn't know back then that
there were two groups of users; ones with 3-layer deep certs (the majority) and
some with 6-layer deep certs.
If you were on Win 7 with a 3-layer cert, you had access.
If you were on Win 7 with a 6-layer cert, you didn't have access. You could
access for a short time if you deleted the extra intermediate certs on the PC-
but they would come back later...
Using 0.9.8x will block the Win 7 users with the 6-layer certs. (Name
Constraints!)
Using 1.0.X seems to block all Win 7 users unless (I believe) TLS is disabled
in the browser.
I'll try out 1.0.0i on production later today to see what happens.
Curtis
> > > Note that you can't just update the DLLs for a new major version of
> > > OpenSSL:
> > > the applications will need to be recompiled too.
> > >
> > > You could try updating to OpenSSL 1.0.0i instead as the 1.0.1 series of
> > > OpenSSL is very new and there are several reported interop problems.
> >
> > I don't have the means to compile my own Apache/OpenSSL combination. I have
> > been > going to apachelounge.com and/or slproweb.com to get my binaries.
> >
> > Can I get the Apache 2.2.22/OpenSSL 1.0.1a from ApacheLounge and replace
> > the > > dlls with the OpenSSL 1.0.0i available on slproweb.com?
> >
> That should be OK as 1.0.1 is binary compatible with 1.0.0.
> Steve.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
