I am maintaining a PKI-enabled website (Apache 2.4.6/ OpenSSL 1.0.1e). When I
open a new browser (IE9 on Win7) and navigate to it, no problems. I select my
certificate and enter my PIN and everything is fine.
My issue is that if I am at another PKI-enabled site and then I go to my site,
I selec
Dr. Henson,
I installed the Apache 2.2.22/OpenSSL 1.0.1a bundle and then put OpenSSL 1.0.0i
on top of that.
That, in conjunction with adding the root cert to the store for those users
with 6-layer cert chains, did the trick! All the users can now access the site!
This is an area I'm not very s
> > > If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
> > > extension that is the problem which isn't supported in OpenSSL 0.9.8.
> > >
> > One of the intermediate certs does have a name constraint...
> >
>
> It is most likely critical then which would trigger the reject
> If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
> extension that is the problem which isn't supported in OpenSSL 0.9.8.
>
One of the intermediate certs does have a name constraint...
> Does the production site have any directories of trusted certificates or are
> they
ssage-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
&g
o:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
> Well...
> If by "trusted store" you mean
enson
Sent: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
> > It sounds like some clients have the correct intermediate certificate(s)
> > installed and some do not.
>
enson
Sent: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
> > It sounds like some clients have the correct intermediate certificate(s)
> > installed and some do not.
>
> It sounds like some clients have the correct intermediate certificate(s)
> installed and some do not.
>
> They should select the certificate, click the "view" button and see if the
> certificate path is complete (i.e. it says it is OK).
On systems (XP and some Win7) where the user can access the
> If the client certs require chain certs additional to (below
> or beside) those in your file, and some clients are sending
> those chain certs but other clients (e.g. Windows 7) are not,
> that would cause the symptom without any cert(s) being actually
> invalid. To test this, get the chain cert(
We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website running on Windows
(XP for development and 2003 for production). We have been experiencing issues
with users with Windows 7 being able to connect lately. In an effort to
understand what is going on, we added %{SSL_PROTOCOL}x %{SSL_CIPHER
They are not test certificates. No- I cannot send them.
Sorry.
Curtis
From: Sergio NNX [mailto:sfhac...@hotmail.com]
Sent: Thursday, April 26, 2012 14:07
To: Tammany, Curtis
Subject: RE: How to trust a 'root' certificate
> Running openssl version -d returns "OPENSSLDIR: c:
>
> ... Just put all the CA certificates into one file and remove the
>
> SSLCACertificatePath
>
> and just keep the
>
> SSLCACertificateFile
All of the certs are in one file... with the root cert being the first one in
the file.
They all begin with -BEGIN CERTIFICATE-
and end with -E
P/2003?
(like step-by-step instructions).
Thanks.
Curtis
-Original Message-
From: Peter Sylvester [mailto:peter.sylves...@edelweb.fr]
Sent: Thursday, April 26, 2012 10:40
To: openssl-users@openssl.org
Cc: Tammany, Curtis; Bernhard Fröhlich
Subject: Re: How to trust a 'root' certifica
ram
manual page for more information."
How can I get OpenSSL to "trust" my DOD root certificate?
Curtis
-Original Message-
From: Bernhard Fröhlich [mailto:t...@convey.de]
Sent: Thursday, April 26, 2012 09:39
To: openssl-users@openssl.org; Tammany, Curtis
Subject: Re
Hello-
I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)
The site requires client (CAC) certificates.
I am getting "FAILED:unable to get local issuer certificate" errors in my
log file from Windows 7 clients. Digging suggested that I check the
i
Hello-
I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)
I require client certificates.
I am getting "FAILED:unable to get local issuer certificate" errors in my
log file from Windows 7 clients. Digging suggested that I check the
intermediate ce
I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites"). With
SSL 3.0 only checked on IE8 (in windows 7), I could make a connection to my
site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I could
not make a connection. We rolled back versions of OpenSSL until w
sl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Saturday, February 25, 2012 12:27
To: openssl-users@openssl.org
Subject: Re: Windows 7/IE8 CAC enabled sites
On Fri, Feb 24, 2012, Tammany, Curtis wrote:
> Hello-
>
> We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enable
Hello-
We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enabled website on a
government location. We have a few users with Windows 7/IE8 who used to be able
to access the site but were unable to after a Microsoft patch (KB2585542
http://support.microsoft.com/kb/2643584 )was pushed.
The
20 matches
Mail list logo
